dcrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e080e7fb0b34b6c79705d7689afc78.exe
Size

885KB
MD5

67e080e7fb0b34b6c79705d7689afc78
SHA1

e82affbbc2595fe40579375cf5c41a7d826eacc7
SHA256

58898fe0524fffa99b22385eb2e89bd5779d40bf743b3b1ec0cde137015bbbbd
SHA512

37ee5981558160f13d208bc871e33ffabb5dd1887b5b974f6b8232e936127c6cb5f2c59013675d4f64b22b9bd384eac71b5da3732d49c1da0312eeb05c988a6d
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx1:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2800	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral5/memory/2384-1-0x00000000001E0000-0x00000000002C4000-memory.dmp	dcrat
behavioral5/files/0x0005000000019c57-18.dat	dcrat
behavioral5/memory/2688-258-0x0000000000B90000-0x0000000000C74000-memory.dmp	dcrat
behavioral5/memory/2916-280-0x00000000002E0000-0x00000000003C4000-memory.dmp	dcrat
behavioral5/memory/1976-292-0x00000000008C0000-0x00000000009A4000-memory.dmp	dcrat
behavioral5/memory/2812-304-0x0000000000C40000-0x0000000000D24000-memory.dmp	dcrat
behavioral5/memory/3056-316-0x0000000000380000-0x0000000000464000-memory.dmp	dcrat
behavioral5/memory/2728-328-0x0000000000090000-0x0000000000174000-memory.dmp	dcrat
behavioral5/memory/1792-340-0x00000000002B0000-0x0000000000394000-memory.dmp	dcrat

Executes dropped EXE 8 IoCs

pid	Process
2688	smss.exe
2392	smss.exe
2916	smss.exe
1976	smss.exe
2812	smss.exe
3056	smss.exe
2728	smss.exe
1792	smss.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\6203df4a6bafc7	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\5940a34987c991	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB8A5.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB8A6.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXB8B9.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXB8BD.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\MSBuild\27d1bcfc3c54e0	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Microsoft Office\24dbde2999530e	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\dllhost.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB87F.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXB8BB.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXB8BC.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\MSBuild\System.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Sidebar\de-DE\sppsvc.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Sidebar\de-DE\0a1fd5f707cd16	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\DVD Maker\csrss.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB87E.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXB8BA.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\DVD Maker\RCXB8CF.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\MSBuild\lsass.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\DVD Maker\886983d96e3d3e	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXB8CE.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\DVD Maker\RCXB8D0.tmp	67e080e7fb0b34b6c79705d7689afc78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2784	schtasks.exe
2616	schtasks.exe
1108	schtasks.exe
2588	schtasks.exe
1376	schtasks.exe
316	schtasks.exe
2884	schtasks.exe
2652	schtasks.exe
1812	schtasks.exe
2376	schtasks.exe
1640	schtasks.exe
1740	schtasks.exe
1068	schtasks.exe
664	schtasks.exe
3008	schtasks.exe
2324	schtasks.exe
1028	schtasks.exe
2728	schtasks.exe
112	schtasks.exe
1736	schtasks.exe
2236	schtasks.exe
1952	schtasks.exe
3032	schtasks.exe
688	schtasks.exe
1652	schtasks.exe
2108	schtasks.exe
496	schtasks.exe
1000	schtasks.exe
1732	schtasks.exe
700	schtasks.exe
2748	schtasks.exe
2120	schtasks.exe
1320	schtasks.exe
600	schtasks.exe
1492	schtasks.exe
2484	schtasks.exe
1772	schtasks.exe
2984	schtasks.exe
2312	schtasks.exe
2896	schtasks.exe
3028	schtasks.exe
548	schtasks.exe
2088	schtasks.exe
1796	schtasks.exe
1880	schtasks.exe
2832	schtasks.exe
2500	schtasks.exe
1004	schtasks.exe
1048	schtasks.exe
2980	schtasks.exe
628	schtasks.exe
928	schtasks.exe
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2384	67e080e7fb0b34b6c79705d7689afc78.exe
2688	smss.exe
2392	smss.exe
2916	smss.exe
1976	smss.exe
2812	smss.exe
3056	smss.exe
2728	smss.exe
1792	smss.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	67e080e7fb0b34b6c79705d7689afc78.exe
Token: SeDebugPrivilege	2688	smss.exe
Token: SeDebugPrivilege	2392	smss.exe
Token: SeDebugPrivilege	2916	smss.exe
Token: SeDebugPrivilege	1976	smss.exe
Token: SeDebugPrivilege	2812	smss.exe
Token: SeDebugPrivilege	3056	smss.exe
Token: SeDebugPrivilege	2728	smss.exe
Token: SeDebugPrivilege	1792	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2812	2384	67e080e7fb0b34b6c79705d7689afc78.exe	85
PID 2384 wrote to memory of 2812	2384	67e080e7fb0b34b6c79705d7689afc78.exe	85
PID 2384 wrote to memory of 2812	2384	67e080e7fb0b34b6c79705d7689afc78.exe	85
PID 2812 wrote to memory of 1740	2812	cmd.exe	87
PID 2812 wrote to memory of 1740	2812	cmd.exe	87
PID 2812 wrote to memory of 1740	2812	cmd.exe	87
PID 2812 wrote to memory of 2688	2812	cmd.exe	89
PID 2812 wrote to memory of 2688	2812	cmd.exe	89
PID 2812 wrote to memory of 2688	2812	cmd.exe	89
PID 2688 wrote to memory of 408	2688	smss.exe	90
PID 2688 wrote to memory of 408	2688	smss.exe	90
PID 2688 wrote to memory of 408	2688	smss.exe	90
PID 2688 wrote to memory of 1764	2688	smss.exe	91
PID 2688 wrote to memory of 1764	2688	smss.exe	91
PID 2688 wrote to memory of 1764	2688	smss.exe	91
PID 408 wrote to memory of 2392	408	WScript.exe	92
PID 408 wrote to memory of 2392	408	WScript.exe	92
PID 408 wrote to memory of 2392	408	WScript.exe	92
PID 2392 wrote to memory of 2804	2392	smss.exe	93
PID 2392 wrote to memory of 2804	2392	smss.exe	93
PID 2392 wrote to memory of 2804	2392	smss.exe	93
PID 2392 wrote to memory of 2748	2392	smss.exe	94
PID 2392 wrote to memory of 2748	2392	smss.exe	94
PID 2392 wrote to memory of 2748	2392	smss.exe	94
PID 2804 wrote to memory of 2916	2804	WScript.exe	95
PID 2804 wrote to memory of 2916	2804	WScript.exe	95
PID 2804 wrote to memory of 2916	2804	WScript.exe	95
PID 2916 wrote to memory of 2960	2916	smss.exe	96
PID 2916 wrote to memory of 2960	2916	smss.exe	96
PID 2916 wrote to memory of 2960	2916	smss.exe	96
PID 2916 wrote to memory of 2616	2916	smss.exe	97
PID 2916 wrote to memory of 2616	2916	smss.exe	97
PID 2916 wrote to memory of 2616	2916	smss.exe	97
PID 2960 wrote to memory of 1976	2960	WScript.exe	98
PID 2960 wrote to memory of 1976	2960	WScript.exe	98
PID 2960 wrote to memory of 1976	2960	WScript.exe	98
PID 1976 wrote to memory of 1012	1976	smss.exe	99
PID 1976 wrote to memory of 1012	1976	smss.exe	99
PID 1976 wrote to memory of 1012	1976	smss.exe	99
PID 1976 wrote to memory of 1648	1976	smss.exe	100
PID 1976 wrote to memory of 1648	1976	smss.exe	100
PID 1976 wrote to memory of 1648	1976	smss.exe	100
PID 1012 wrote to memory of 2812	1012	WScript.exe	101
PID 1012 wrote to memory of 2812	1012	WScript.exe	101
PID 1012 wrote to memory of 2812	1012	WScript.exe	101
PID 2812 wrote to memory of 1776	2812	smss.exe	102
PID 2812 wrote to memory of 1776	2812	smss.exe	102
PID 2812 wrote to memory of 1776	2812	smss.exe	102
PID 2812 wrote to memory of 1052	2812	smss.exe	103
PID 2812 wrote to memory of 1052	2812	smss.exe	103
PID 2812 wrote to memory of 1052	2812	smss.exe	103
PID 1776 wrote to memory of 3056	1776	WScript.exe	104
PID 1776 wrote to memory of 3056	1776	WScript.exe	104
PID 1776 wrote to memory of 3056	1776	WScript.exe	104
PID 3056 wrote to memory of 2752	3056	smss.exe	105
PID 3056 wrote to memory of 2752	3056	smss.exe	105
PID 3056 wrote to memory of 2752	3056	smss.exe	105
PID 3056 wrote to memory of 2348	3056	smss.exe	106
PID 3056 wrote to memory of 2348	3056	smss.exe	106
PID 3056 wrote to memory of 2348	3056	smss.exe	106
PID 2752 wrote to memory of 2728	2752	WScript.exe	107
PID 2752 wrote to memory of 2728	2752	WScript.exe	107
PID 2752 wrote to memory of 2728	2752	WScript.exe	107
PID 2728 wrote to memory of 1160	2728	smss.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67e080e7fb0b34b6c79705d7689afc78.exe
"C:\Users\Admin\AppData\Local\Temp\67e080e7fb0b34b6c79705d7689afc78.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VvkahhESSJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1740
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\970fad1b-7ae5-41b7-9c00-e2245ccd6f0e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826ac197-ca73-439a-8eb1-4dc02c9d5d45.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61a99f3f-375c-48d7-8585-7d9c28a7318e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a399e5d-c175-4fbc-bc6a-a4546cda3d01.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d452420a-c36f-4402-8839-ca3516479d6e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0d0f71e-08a0-4d2f-b708-e00eb83f74e4.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4968c8-1926-44e8-8844-a51f6eade124.vbs"
        16⤵
        
        PID:1160
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841d87aa-6007-4f9b-abe3-dbe6e07b0dad.vbs"
        18⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0bd756-18bc-4b3f-871e-aa86e9497063.vbs"
        18⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ae22c8e-e140-47d9-ac5b-356fcd887554.vbs"
        16⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c54e94d-5d71-41c0-b3a6-7701d63585ef.vbs"
        14⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4519f3-fdb2-42e6-ad11-620c26726055.vbs"
        12⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7df3c211-8ec7-41bf-9040-211af99cae9e.vbs"
        10⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08421b68-2643-447c-b603-fd2cec02d4d7.vbs"
        8⤵
        
        PID:2616
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5759af7f-ea3f-4bd2-ae23-1993961e4199.vbs"
        6⤵
        
        PID:2748
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5241f8ff-7d5d-4baa-85d8-c7f96214b61b.vbs"
      4⤵
      PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67e080e7fb0b34b6c79705d7689afc786" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\67e080e7fb0b34b6c79705d7689afc78.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67e080e7fb0b34b6c79705d7689afc78" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\67e080e7fb0b34b6c79705d7689afc78.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67e080e7fb0b34b6c79705d7689afc786" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\67e080e7fb0b34b6c79705d7689afc78.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe

Filesize
885KB

MD5
67e080e7fb0b34b6c79705d7689afc78

SHA1
e82affbbc2595fe40579375cf5c41a7d826eacc7

SHA256
58898fe0524fffa99b22385eb2e89bd5779d40bf743b3b1ec0cde137015bbbbd

SHA512
37ee5981558160f13d208bc871e33ffabb5dd1887b5b974f6b8232e936127c6cb5f2c59013675d4f64b22b9bd384eac71b5da3732d49c1da0312eeb05c988a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a399e5d-c175-4fbc-bc6a-a4546cda3d01.vbs

Filesize
747B

MD5
7af8c5fc25102facef4a0c64020dba89

SHA1
7c8bbce6b358524f0df03184d642c50789876070

SHA256
d15b453abd01fd8f1536ab672b91d8807852438aa86c08febc0d78d1f4e62958

SHA512
d7c41b6d3686e536dbd601b275e7f80e2b349b57dc6f5d15af2eb5babb110ff918384ec98b40535ac1baa02f1c01e171eaae1c59a12f97c6387ea224a72c20fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a4968c8-1926-44e8-8844-a51f6eade124.vbs

Filesize
747B

MD5
dbdabb93853113cbdb8034f52771a887

SHA1
ff552fc6a24b3aee9049a700cf19b918b76710de

SHA256
6fa78230bd559f6401c712239c94a84c11f42962055d62efe73a5dddfb082a40

SHA512
f259789aa3712cc1d051b1409a8ddfe196438be6f970e2ccb3a23f2fcdffad92759dadb23837e101292d07ade4112a0feb26808942504455e5531378fc787ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5241f8ff-7d5d-4baa-85d8-c7f96214b61b.vbs

Filesize
523B

MD5
3a1f2f04b06e9bb77513e5a845455f6b

SHA1
2a5388432b961175d05796d7f4050e93e22b7753

SHA256
524e06d77488303229ffcf663a1b35a29db14f668caec0da3358fa91c476ebac

SHA512
50c0d17c25c042297c91f50be1d57bdf23f6f3dcf6815f64807c546db2ff1258b9d7ec600291e6017df941e52f4660042660e95a080f6334e45b6e1092899cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\61a99f3f-375c-48d7-8585-7d9c28a7318e.vbs

Filesize
747B

MD5
37108bce9bc7643727386af7fc7dc3b2

SHA1
c1b60d68ec186fc36d4c4465a5f27e76bb0e0ccb

SHA256
0fb77751c099fe97c3e0fb355cb90e30f84272412543e268847a19fac7d87e79

SHA512
2588736ee376f97bec059952b6aba7cd6a9318ea667369fd5e6f90dc707bbbfc64aee54a6dbdcc65940850e1b4b6f7b30f79b636a40d703f97c45eb63f070f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\826ac197-ca73-439a-8eb1-4dc02c9d5d45.vbs

Filesize
747B

MD5
2e58530fc7568fd74d96d605331a954a

SHA1
eba26ca4221300ba46262d520ab6000cd16b3eeb

SHA256
43226a95079d2878027aaf9abbc9527b7c8a1870597ef19b97e55d8554274c05

SHA512
c698a02b4d87beefb539c1489435c848002e661ffc7c4daf5847e869c860a06f2c5d55d0105b7c1e89ae658768e3385cab6fbfb815846a3c536ef52f2e8b251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\841d87aa-6007-4f9b-abe3-dbe6e07b0dad.vbs

Filesize
747B

MD5
081b9393ca835202e7b48da84aad98b3

SHA1
1e4a2541f39108b7f32cbe640f38199f4ddee6ab

SHA256
af016bde4e2879a31d9d4d6df0883534947cac3ccebf876ffdfa2d4240bd829c

SHA512
8a839f5d20aab6cab9ba7f6ae72c4633f287f5b0d7c3d412e75bd2ae9b26d6ddf4081686f8de416464cded621dd6e2f2a755b6dd6fb42f393abca2ae46c9ae38

Download Submit
C:\Users\Admin\AppData\Local\Temp\970fad1b-7ae5-41b7-9c00-e2245ccd6f0e.vbs

Filesize
747B

MD5
1a34b6f7e0fa3aea1e9444575b66c23a

SHA1
e0b77b10ee385b556e97447afd2a19f8374f9293

SHA256
18de05ff6bf081d3b31948b3ebae6495711aeabcd13ffb4628d0ad3ba878052f

SHA512
ce4d069f48c654eb0f61d5139e6ef02f67e5bd3113fc43c70643c9e3218b88e1b8a8de8a326528c56c6ff7bae406cad6027e6ebea9273e38ea89bec3e9d1ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvkahhESSJ.bat

Filesize
236B

MD5
456ea780bb70bb020948e07bfff9b0f0

SHA1
4b802f9cf2c62bccb6ffa81cab6dc9e4ef6f29cb

SHA256
c9ef99c77fcd0ee0fd5baae94fd72dec139ae23fe63db383d7af736a8c03f822

SHA512
48b406c48a15980a8fe99bc5bf6b712eec757d3c25e30bbfabf9ae0ededba536628914f17b13ff6027f4808401b7a058819dc644fad3715c792657a36fe76552

Download Submit
C:\Users\Admin\AppData\Local\Temp\d452420a-c36f-4402-8839-ca3516479d6e.vbs

Filesize
747B

MD5
06addc2cbf174d0a01fb13592616ec7b

SHA1
48b75cada6febad7dc7b957fbda449e040f23b4b

SHA256
16f66854eb08f81af6d5140e24c187dc5ffdf2fd608ec49f744b6ed733409a42

SHA512
ed97c5a98257369a90f662ff3c991d34a162dadfff656d2f237d5a3c5fb4cdb12924d1a19d7121186c2d2176942531412d94295b695fc58e80ae6f71003fd23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0d0f71e-08a0-4d2f-b708-e00eb83f74e4.vbs

Filesize
747B

MD5
611b076718aafc8834d08eb3f295fde3

SHA1
16cf9fb68d29fd69b2996ac680f7649ff7c61707

SHA256
459805a370d5b4474930cf13a80c50e923a0a0abf0c3d53a3ab033ff16f3ed63

SHA512
1a170e958abef3d42ed7accef1c67807499d6f7ed97461224bc8db0a0d94bb5a16398447f9b895b43168e6face2080edce2501842e14d661cfcaeb571cadbd8b

Download Submit
memory/1792-340-0x00000000002B0000-0x0000000000394000-memory.dmp

Filesize
912KB

Download
memory/1976-292-0x00000000008C0000-0x00000000009A4000-memory.dmp

Filesize
912KB

Download
memory/2384-6-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2384-1-0x00000000001E0000-0x00000000002C4000-memory.dmp

Filesize
912KB

Download
memory/2384-255-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-8-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2384-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2384-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2384-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2384-7-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2384-4-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2384-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2384-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-258-0x0000000000B90000-0x0000000000C74000-memory.dmp

Filesize
912KB

Download
memory/2728-328-0x0000000000090000-0x0000000000174000-memory.dmp

Filesize
912KB

Download
memory/2812-304-0x0000000000C40000-0x0000000000D24000-memory.dmp

Filesize
912KB

Download
memory/2916-280-0x00000000002E0000-0x00000000003C4000-memory.dmp

Filesize
912KB

Download
memory/3056-316-0x0000000000380000-0x0000000000464000-memory.dmp

Filesize
912KB

Download