dcrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e080e7fb0b34b6c79705d7689afc78.exe
Size

885KB
MD5

67e080e7fb0b34b6c79705d7689afc78
SHA1

e82affbbc2595fe40579375cf5c41a7d826eacc7
SHA256

58898fe0524fffa99b22385eb2e89bd5779d40bf743b3b1ec0cde137015bbbbd
SHA512

37ee5981558160f13d208bc871e33ffabb5dd1887b5b974f6b8232e936127c6cb5f2c59013675d4f64b22b9bd384eac71b5da3732d49c1da0312eeb05c988a6d
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx1:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4072	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/3920-1-0x00000000007E0000-0x00000000008C4000-memory.dmp	dcrat
behavioral6/files/0x0007000000024156-19.dat	dcrat
behavioral6/files/0x000e000000024168-124.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	67e080e7fb0b34b6c79705d7689afc78.exe

Executes dropped EXE 12 IoCs

pid	Process
4164	OfficeClickToRun.exe
2172	OfficeClickToRun.exe
4548	OfficeClickToRun.exe
1528	OfficeClickToRun.exe
2696	OfficeClickToRun.exe
4552	OfficeClickToRun.exe
3048	OfficeClickToRun.exe
1280	OfficeClickToRun.exe
400	OfficeClickToRun.exe
3304	OfficeClickToRun.exe
224	OfficeClickToRun.exe
2044	OfficeClickToRun.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\unsecapp.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC621.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Google\Update\7a0fd90576e088	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Media Player\it-IT\explorer.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Mail\29c1c3cc0f7685	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC641.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC723.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Mail\RCXC77A.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXC745.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXC768.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Mail\RCXC769.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Uninstall Information\RuntimeBroker.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Google\Update\explorer.exe	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC743.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXC744.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXC757.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Program Files\Windows Media Player\it-IT\7a0fd90576e088	67e080e7fb0b34b6c79705d7689afc78.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\55b276f4edf653	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Windows\tracing\RCXC755.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File opened for modification	C:\Windows\tracing\RCXC756.tmp	67e080e7fb0b34b6c79705d7689afc78.exe
File created	C:\Windows\tracing\StartMenuExperienceHost.exe	67e080e7fb0b34b6c79705d7689afc78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	67e080e7fb0b34b6c79705d7689afc78.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
640	schtasks.exe
1388	schtasks.exe
3796	schtasks.exe
2112	schtasks.exe
3448	schtasks.exe
436	schtasks.exe
4236	schtasks.exe
2264	schtasks.exe
2040	schtasks.exe
3740	schtasks.exe
4716	schtasks.exe
5008	schtasks.exe
2304	schtasks.exe
4980	schtasks.exe
2636	schtasks.exe
220	schtasks.exe
4392	schtasks.exe
2628	schtasks.exe
380	schtasks.exe
4080	schtasks.exe
2680	schtasks.exe
1504	schtasks.exe
3200	schtasks.exe
5088	schtasks.exe
3112	schtasks.exe
4560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3920	67e080e7fb0b34b6c79705d7689afc78.exe
3920	67e080e7fb0b34b6c79705d7689afc78.exe
3920	67e080e7fb0b34b6c79705d7689afc78.exe
4164	OfficeClickToRun.exe
2172	OfficeClickToRun.exe
4548	OfficeClickToRun.exe
1528	OfficeClickToRun.exe
1528	OfficeClickToRun.exe
2696	OfficeClickToRun.exe
4552	OfficeClickToRun.exe
3048	OfficeClickToRun.exe
1280	OfficeClickToRun.exe
400	OfficeClickToRun.exe
3304	OfficeClickToRun.exe
224	OfficeClickToRun.exe
2044	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	67e080e7fb0b34b6c79705d7689afc78.exe
Token: SeDebugPrivilege	4164	OfficeClickToRun.exe
Token: SeDebugPrivilege	2172	OfficeClickToRun.exe
Token: SeDebugPrivilege	4548	OfficeClickToRun.exe
Token: SeDebugPrivilege	1528	OfficeClickToRun.exe
Token: SeDebugPrivilege	2696	OfficeClickToRun.exe
Token: SeDebugPrivilege	4552	OfficeClickToRun.exe
Token: SeDebugPrivilege	3048	OfficeClickToRun.exe
Token: SeDebugPrivilege	1280	OfficeClickToRun.exe
Token: SeDebugPrivilege	400	OfficeClickToRun.exe
Token: SeDebugPrivilege	3304	OfficeClickToRun.exe
Token: SeDebugPrivilege	224	OfficeClickToRun.exe
Token: SeDebugPrivilege	2044	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3876	3920	67e080e7fb0b34b6c79705d7689afc78.exe	115
PID 3920 wrote to memory of 3876	3920	67e080e7fb0b34b6c79705d7689afc78.exe	115
PID 3876 wrote to memory of 4180	3876	cmd.exe	117
PID 3876 wrote to memory of 4180	3876	cmd.exe	117
PID 3876 wrote to memory of 4164	3876	cmd.exe	120
PID 3876 wrote to memory of 4164	3876	cmd.exe	120
PID 4164 wrote to memory of 4080	4164	OfficeClickToRun.exe	122
PID 4164 wrote to memory of 4080	4164	OfficeClickToRun.exe	122
PID 4164 wrote to memory of 2672	4164	OfficeClickToRun.exe	123
PID 4164 wrote to memory of 2672	4164	OfficeClickToRun.exe	123
PID 4080 wrote to memory of 2172	4080	WScript.exe	127
PID 4080 wrote to memory of 2172	4080	WScript.exe	127
PID 2172 wrote to memory of 4552	2172	OfficeClickToRun.exe	128
PID 2172 wrote to memory of 4552	2172	OfficeClickToRun.exe	128
PID 2172 wrote to memory of 216	2172	OfficeClickToRun.exe	129
PID 2172 wrote to memory of 216	2172	OfficeClickToRun.exe	129
PID 4552 wrote to memory of 4548	4552	WScript.exe	131
PID 4552 wrote to memory of 4548	4552	WScript.exe	131
PID 4548 wrote to memory of 1384	4548	OfficeClickToRun.exe	132
PID 4548 wrote to memory of 1384	4548	OfficeClickToRun.exe	132
PID 4548 wrote to memory of 4612	4548	OfficeClickToRun.exe	133
PID 4548 wrote to memory of 4612	4548	OfficeClickToRun.exe	133
PID 1384 wrote to memory of 1528	1384	WScript.exe	138
PID 1384 wrote to memory of 1528	1384	WScript.exe	138
PID 1528 wrote to memory of 3232	1528	OfficeClickToRun.exe	139
PID 1528 wrote to memory of 3232	1528	OfficeClickToRun.exe	139
PID 1528 wrote to memory of 3296	1528	OfficeClickToRun.exe	140
PID 1528 wrote to memory of 3296	1528	OfficeClickToRun.exe	140
PID 3232 wrote to memory of 2696	3232	WScript.exe	144
PID 3232 wrote to memory of 2696	3232	WScript.exe	144
PID 2696 wrote to memory of 548	2696	OfficeClickToRun.exe	145
PID 2696 wrote to memory of 548	2696	OfficeClickToRun.exe	145
PID 2696 wrote to memory of 3204	2696	OfficeClickToRun.exe	146
PID 2696 wrote to memory of 3204	2696	OfficeClickToRun.exe	146
PID 548 wrote to memory of 4552	548	WScript.exe	147
PID 548 wrote to memory of 4552	548	WScript.exe	147
PID 4552 wrote to memory of 464	4552	OfficeClickToRun.exe	148
PID 4552 wrote to memory of 464	4552	OfficeClickToRun.exe	148
PID 4552 wrote to memory of 4052	4552	OfficeClickToRun.exe	149
PID 4552 wrote to memory of 4052	4552	OfficeClickToRun.exe	149
PID 464 wrote to memory of 3048	464	WScript.exe	150
PID 464 wrote to memory of 3048	464	WScript.exe	150
PID 3048 wrote to memory of 4012	3048	OfficeClickToRun.exe	151
PID 3048 wrote to memory of 4012	3048	OfficeClickToRun.exe	151
PID 3048 wrote to memory of 5040	3048	OfficeClickToRun.exe	152
PID 3048 wrote to memory of 5040	3048	OfficeClickToRun.exe	152
PID 4012 wrote to memory of 1280	4012	WScript.exe	154
PID 4012 wrote to memory of 1280	4012	WScript.exe	154
PID 1280 wrote to memory of 372	1280	OfficeClickToRun.exe	155
PID 1280 wrote to memory of 372	1280	OfficeClickToRun.exe	155
PID 1280 wrote to memory of 4844	1280	OfficeClickToRun.exe	156
PID 1280 wrote to memory of 4844	1280	OfficeClickToRun.exe	156
PID 372 wrote to memory of 400	372	WScript.exe	157
PID 372 wrote to memory of 400	372	WScript.exe	157
PID 400 wrote to memory of 4784	400	OfficeClickToRun.exe	158
PID 400 wrote to memory of 4784	400	OfficeClickToRun.exe	158
PID 400 wrote to memory of 1236	400	OfficeClickToRun.exe	159
PID 400 wrote to memory of 1236	400	OfficeClickToRun.exe	159
PID 4784 wrote to memory of 3304	4784	WScript.exe	160
PID 4784 wrote to memory of 3304	4784	WScript.exe	160
PID 3304 wrote to memory of 3504	3304	OfficeClickToRun.exe	161
PID 3304 wrote to memory of 3504	3304	OfficeClickToRun.exe	161
PID 3304 wrote to memory of 2540	3304	OfficeClickToRun.exe	162
PID 3304 wrote to memory of 2540	3304	OfficeClickToRun.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67e080e7fb0b34b6c79705d7689afc78.exe
"C:\Users\Admin\AppData\Local\Temp\67e080e7fb0b34b6c79705d7689afc78.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZErtVKvE7F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4180
- - C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
    "C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21ac2445-7e70-462f-a842-faa80a085a1b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e6700a4-b110-462d-ae1e-ddfc1244d27b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de64c038-6229-4cce-8b30-eb9fa05de7f2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50cd8ca2-ae04-42ce-96da-630cd6fa9d16.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d55257-a0ca-46da-9791-46d2d0487991.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7ff66b-f7ea-4b3b-80e0-fa767a3c386f.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9acf572-8a5c-438f-beb7-c816a5f32459.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472fcd30-2362-405f-a71e-8e2d916fc23f.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\224f5031-0189-4e44-bbf9-3e57eb8324af.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de404a4c-699e-40b8-a8ba-67b9a4ff8171.vbs"
        22⤵
        
        PID:3504
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25736712-3c2f-4240-b70b-f53f11959b8f.vbs"
        24⤵
        
        PID:3512
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab3568c2-0545-48dc-a385-7f4494f44326.vbs"
        26⤵
        
        PID:2780
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        27⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\203caf8d-4278-47a0-9b24-93c454f24460.vbs"
        28⤵
        
        PID:3736
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
        29⤵
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bf2de31-b904-4def-83bb-c3037ef2e0d0.vbs"
        30⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d2d00ed-cc00-4937-ba86-63f2e44df8c2.vbs"
        30⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5abbe7d-6e19-4d99-b715-1ae5a8087396.vbs"
        28⤵
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d91f21-26b6-443b-8250-347c522ede1e.vbs"
        26⤵
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df6c6e18-453b-403e-a080-ce2c8d8bee8a.vbs"
        24⤵
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9805ab-4690-4188-afb7-ad9c31a58807.vbs"
        22⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96cb9cbe-0012-4467-b042-efff18fbe6bf.vbs"
        20⤵
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77e8969a-6cd3-4c5d-bd4f-d3a58b9138c2.vbs"
        18⤵
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd925d44-6f89-40b1-8222-f698b60bf915.vbs"
        16⤵
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0985e157-84f7-4c37-8416-44b5555e21ff.vbs"
        14⤵
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbf91001-d343-4105-9358-a42afd621fac.vbs"
        12⤵
        
        PID:3204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6b5790-e2f9-4715-88af-87e48a6064c9.vbs"
        10⤵
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8d48338-a33f-4db9-a1a7-f47634f59d8b.vbs"
        8⤵
        
        PID:4612
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0fc990-66f0-4124-9fbc-a292be38e619.vbs"
        6⤵
        
        PID:216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c4368f-555a-4dbe-857c-454a8018ddf9.vbs"
      4⤵
      PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe

Filesize
885KB

MD5
67e080e7fb0b34b6c79705d7689afc78

SHA1
e82affbbc2595fe40579375cf5c41a7d826eacc7

SHA256
58898fe0524fffa99b22385eb2e89bd5779d40bf743b3b1ec0cde137015bbbbd

SHA512
37ee5981558160f13d208bc871e33ffabb5dd1887b5b974f6b8232e936127c6cb5f2c59013675d4f64b22b9bd384eac71b5da3732d49c1da0312eeb05c988a6d

Download Submit
C:\Program Files\Windows Mail\RCXC769.tmp

Filesize
885KB

MD5
5d3a12df0c1d2750e6e40722a7f84cd5

SHA1
ca7ee061ed80b5f115da17c0abd348170df4077c

SHA256
17ca313f90e7baa07d318f9d738387397437f0470ca52e7a1aff61080df964e3

SHA512
b27e56927f6bba53780ed7bcd728db41ed3e7fa98d6fbfe250bc5aa368fb86e0219b64c044af9d8c14273613e86ec92e22a333d9c7428688e7347193a708c774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e6700a4-b110-462d-ae1e-ddfc1244d27b.vbs

Filesize
732B

MD5
3fbe9cabf7d05afa5a3d275dc4fe31ae

SHA1
2194d62748735595754cb1ec71598bb8480311bd

SHA256
5d7027426864998ecf7f4d3fe198bacdc92973ffa6728a537717406ccc42e421

SHA512
9c097f6edaacb465c1edcb2b8a30f262021233f1bb291efe9891c80733d1fbc00bd199c2c757a65e4d30562e26f2d5ef51dd6c8de61043fd167d0412e3ce5a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\203caf8d-4278-47a0-9b24-93c454f24460.vbs

Filesize
732B

MD5
310f1753eb2b0d9a00318a35c89dc379

SHA1
701d7b7234c96119149c1f08c40bf4158716b336

SHA256
c12774d9a410e0b90cf9dea56be8b19a7294a6e4fc7b48a16129596c57130e8b

SHA512
1019c6190411c3da8d6b1b556c62c12a46878a724a1b9c158109017925f35e544bcaabe41fa3ea79dc01e7b3512546b4e4ad7540b333bc6fb54e2110dff61eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\21ac2445-7e70-462f-a842-faa80a085a1b.vbs

Filesize
732B

MD5
8b248496eed27c31ecb2f77b0d57e70b

SHA1
c133750d410f8a35153c7ead1fb416634120c8cf

SHA256
4ca4945f0720fab995d86c7d30726704d69ff6b1a192e11a12f2771baffc7b44

SHA512
f89d90a3acf0444ca1fcb32ae62315364b203d132189586d814d4eaa2a34888ad06e6c1f47f840f77a03dcf6b1afade7410ff2e890d86848f212746267df94c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\224f5031-0189-4e44-bbf9-3e57eb8324af.vbs

Filesize
731B

MD5
9f6d249dae0ae3191ce4f3aef893b864

SHA1
25bba6cbe1b9031a56922e090758ab04e7a7957e

SHA256
2e7d29dced77d3d89686586e030d7f3a14e3cb8a7cf128393b322c887f856a28

SHA512
4077007d1feb58f80aacffdeda7c84b7967d5fa05961b25688f7316303a2087e88199f98a5b896e7b6f3399ff050d57d9272dacb7af2df68fd170161071825dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\25736712-3c2f-4240-b70b-f53f11959b8f.vbs

Filesize
731B

MD5
67fd183c929a2f362b49cf2a9d93bd92

SHA1
025c1d3d441713b2b1c1532eedc86b9035140595

SHA256
3c9d33d50de4d00939ee4c2a96a3d5ab0af514cc68c8070cd45c591750bd1b0f

SHA512
d2035fdd581709962ee6da9858234edc37c7d381c6b426b35fdf1f6be8a440a73f30c01a0922948f7801ff1faef3d1764846e3af6b7dfccfd724ad6f7dfdd94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\472fcd30-2362-405f-a71e-8e2d916fc23f.vbs

Filesize
732B

MD5
8a450e25efa11fee338d380b826fa64b

SHA1
f3d98c88c7c59c18e76b52eda813b05bafd98a98

SHA256
a52994af5aefe05ea99f5c2f5173d6b47eb1c5e47a9661dba8dcd549099d9be8

SHA512
1b124ef4e96611e78f480f97d17e188822f2382fa4d3bc5fdbc495f26b2d218b935a4837f3af3b132b5a940714464998806e227ca6fcb9554944995cad88316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bf2de31-b904-4def-83bb-c3037ef2e0d0.vbs

Filesize
732B

MD5
628aa190db3eda6e36fd3dc0c36ae8a9

SHA1
bfca6e92cf7fb16a8977b1a0f2c01d0d31460354

SHA256
079187fcd74fe81c511aa22180ad76bf009f95ff4e6b830526e51807b34dc771

SHA512
d2dba41e12498290789c86567c8c86b919e1b792da4f5837b11cb56ae8c8fe509f82a546bae1cc48a17df2a4def52d795b0023b5e22afd9d9b9ea038f72eea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\50cd8ca2-ae04-42ce-96da-630cd6fa9d16.vbs

Filesize
732B

MD5
fb62df54e3d220ee3bca698c0a9aa57f

SHA1
e6267b7df863e6da02bd3ece8ddb9a3e06366614

SHA256
3832a2571987c6eae7f994b3228a2e342609f458ea1e37d6600d1567ca415a6a

SHA512
78e63e6e80fc1a472e92c87e6e6bf41e8b82921fcd16c5a2cb9b61ee3db648152c50c9ced4f8b401f4c186f93a99fcfc37cc7867e1a8f5026a9eb600a89edcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZErtVKvE7F.bat

Filesize
221B

MD5
4fd5196eb05e8042008204bcc79c573b

SHA1
060de0e30be4e8e82ba701e398a3cfc02de24d6b

SHA256
5dd4b3c75ab173753eed03d6408ffd50ddbdadd134322020ed78132a0c6cc706

SHA512
285f350223cedf4fa97130ac2514b2dbd5553ff74bcb99f5b895b87c72cf578f78a8a15a54f6d8bed4c508431d2f98ad787e7b213a6f69bc7824effa7ad35b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab3568c2-0545-48dc-a385-7f4494f44326.vbs

Filesize
732B

MD5
af2b384eca3e3870137c179fb5c303b0

SHA1
bad81337b94a53216598e59c6701e7b54569fcbb

SHA256
b34b27ce38e8c21c40b83084bc61f0d7f4e4801dfbc4beb038ae01b455ccdcd0

SHA512
1a739d4c9471e68638feedd154e7ebad295db4104b02c5fca5be0eb8debf41f829c9f7035c573136f9e2febb476e6a58c3ea2bdf0e068a4f6adc598790117633

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5d55257-a0ca-46da-9791-46d2d0487991.vbs

Filesize
732B

MD5
dcfbf24bd4433ef1a0d4314b5c45c688

SHA1
c820e519e79b350b3cdd3d2a7f38c77d1a978c04

SHA256
cf8ac63c8a19ad7f64ccabd0d53670e492194eb27dd39f844dc84a5e3a4bfadc

SHA512
8fda8cfd2921906ccde67f3a4709f6df258e85de1f83a00c990696f542793c9acb47641199fe2d1b4b296224f0078c6086695bada1c32b6f3a5e722ebc9e0672

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9acf572-8a5c-438f-beb7-c816a5f32459.vbs

Filesize
732B

MD5
8db4764525ddb7fd59bd76daa74e77b4

SHA1
1271fc506369c11feea9a41c7b8a11fa359815e0

SHA256
814a2f54b81b92fd266a7ac3b693edc0009fbeb811a1ede498ffea5660454928

SHA512
0d7c7d6dc1bbc58769bdebfcfadf7effa200653cf1190f50d0a74996b4be43ab446dd5d83b170a55f8c1d369d0f0f894dfb98be6aa49c574966b753a1071b1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de404a4c-699e-40b8-a8ba-67b9a4ff8171.vbs

Filesize
732B

MD5
42853c03d404d741e123e1ef53ec85e5

SHA1
e6f006a6cb86700699dc88247a02d5f4175d64d6

SHA256
1a67fbd6331f692b69d48229b1766694a2e3c1a6a2083673431d61d1f4afd484

SHA512
8a7c91a98b7b07f20afc2fdfef6b3e47c7874283d28af2388d555c84ed4cd1970c4493095ab4bf40d118d57849439d37c1f03cbde1df9e056a895e25af6ad863

Download Submit
C:\Users\Admin\AppData\Local\Temp\de64c038-6229-4cce-8b30-eb9fa05de7f2.vbs

Filesize
732B

MD5
08cdf080dda985294b9a63e4d99bb843

SHA1
d3de1845a03fa7e9f06aa8d5a5f87e6ea2a169e9

SHA256
5fc1bd22f4700b03fae0ffeb22f3f7d1dc0704ec98edad9f2bad040ae3ded924

SHA512
44be9cedfe6f5b2491805c97148dc9341f2d101458e503a9c69c993ba23f0cac5635fbbab54ffd5239ea3118a4f9a501936d037ac1a1df405c0cc494c8a8bcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\de7ff66b-f7ea-4b3b-80e0-fa767a3c386f.vbs

Filesize
732B

MD5
688ee0dd3983e9d6362b3d6e3f03eae7

SHA1
333bcd40e72286f7b7abe3a4cc1476423bbf969d

SHA256
3794a6501233e244b921f13408dcf7d3f75083937ace7e85daba70b6824c44be

SHA512
7f2d647e507efc6691a2421c0dd9c58795ad72b7c5221232668ba149b39e297ce2b7c051e8585c8b25f17f0c42c13cee2f3f8039f95f1d0ed5b27e85796f14f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4c4368f-555a-4dbe-857c-454a8018ddf9.vbs

Filesize
508B

MD5
f51951a8fbf448fe9c94f9db315f4236

SHA1
ef43434759e6786b4baf465e489be3c0a401d341

SHA256
862b664177e9101f552dafea003e111e923ee03bed07e9a9dc66616ec99bb10e

SHA512
cd272ac4989930131e9e3d5460d5fb07eba664156e742c3c89571a4ef0b9837fea26ce389fbddfc6330ccbe473ac707d4ef057b06422b98497f3c37bbbcab891

Download Submit
memory/3920-9-0x000000001B420000-0x000000001B428000-memory.dmp

Filesize
32KB

Download
memory/3920-139-0x00007FFF63640000-0x00007FFF64101000-memory.dmp

Filesize
10.8MB

Download
memory/3920-6-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

Filesize
88KB

Download
memory/3920-7-0x0000000002AD0000-0x0000000002ADA000-memory.dmp

Filesize
40KB

Download
memory/3920-8-0x000000001B410000-0x000000001B41E000-memory.dmp

Filesize
56KB

Download
memory/3920-0-0x00007FFF63643000-0x00007FFF63645000-memory.dmp

Filesize
8KB

Download
memory/3920-10-0x000000001B430000-0x000000001B43C000-memory.dmp

Filesize
48KB

Download
memory/3920-3-0x00000000010D0000-0x00000000010EC000-memory.dmp

Filesize
112KB

Download
memory/3920-4-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/3920-5-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/3920-2-0x00007FFF63640000-0x00007FFF64101000-memory.dmp

Filesize
10.8MB

Download
memory/3920-1-0x00000000007E0000-0x00000000008C4000-memory.dmp

Filesize
912KB

Download