dcrat | f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Size

1.6MB
MD5

072d2202b56c22e2f03d6d9f20daf3d4
SHA1

0ab55b346a913174a29e2fdc4f27e9d75894706e
SHA256

6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e
SHA512

c641638b944a9c57f1127a67a5afbf961498e72900fad69d720b778922823434baf8d2843333d761ae6f5516a3d03427a550d0a4b9eabb39ee7dd102d681e47e
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	760	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	760	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/3784-1-0x0000000000BF0000-0x0000000000D92000-memory.dmp	dcrat
behavioral22/files/0x00080000000242ab-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4728	powershell.exe
4712	powershell.exe
4896	powershell.exe
4724	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
3704	spoolsv.exe
5864	spoolsv.exe
5212	spoolsv.exe
2020	spoolsv.exe
376	spoolsv.exe
2168	spoolsv.exe
2572	spoolsv.exe
4284	spoolsv.exe
840	spoolsv.exe
3352	spoolsv.exe
2916	spoolsv.exe
5796	spoolsv.exe
3108	spoolsv.exe
3508	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\eeac4030560e9e	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX90DA.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX90DB.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4496	schtasks.exe
4520	schtasks.exe
4464	schtasks.exe
4612	schtasks.exe
4624	schtasks.exe
4628	schtasks.exe
3724	schtasks.exe
3856	schtasks.exe
4588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
4728	powershell.exe
4712	powershell.exe
4724	powershell.exe
4896	powershell.exe
4896	powershell.exe
4728	powershell.exe
4728	powershell.exe
4724	powershell.exe
4724	powershell.exe
4712	powershell.exe
4712	powershell.exe
4896	powershell.exe
3704	spoolsv.exe
5864	spoolsv.exe
5212	spoolsv.exe
2020	spoolsv.exe
376	spoolsv.exe
376	spoolsv.exe
2168	spoolsv.exe
2168	spoolsv.exe
2572	spoolsv.exe
2572	spoolsv.exe
4284	spoolsv.exe
840	spoolsv.exe
3352	spoolsv.exe
2916	spoolsv.exe
5796	spoolsv.exe
3108	spoolsv.exe
3508	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3704	spoolsv.exe
Token: SeDebugPrivilege	5864	spoolsv.exe
Token: SeDebugPrivilege	5212	spoolsv.exe
Token: SeDebugPrivilege	2020	spoolsv.exe
Token: SeDebugPrivilege	376	spoolsv.exe
Token: SeDebugPrivilege	2168	spoolsv.exe
Token: SeDebugPrivilege	2572	spoolsv.exe
Token: SeDebugPrivilege	4284	spoolsv.exe
Token: SeDebugPrivilege	840	spoolsv.exe
Token: SeDebugPrivilege	3352	spoolsv.exe
Token: SeDebugPrivilege	2916	spoolsv.exe
Token: SeDebugPrivilege	5796	spoolsv.exe
Token: SeDebugPrivilege	3108	spoolsv.exe
Token: SeDebugPrivilege	3508	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4724	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	98
PID 3784 wrote to memory of 4724	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	98
PID 3784 wrote to memory of 4728	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	99
PID 3784 wrote to memory of 4728	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	99
PID 3784 wrote to memory of 4712	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	100
PID 3784 wrote to memory of 4712	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	100
PID 3784 wrote to memory of 4896	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	101
PID 3784 wrote to memory of 4896	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	101
PID 3784 wrote to memory of 1284	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	106
PID 3784 wrote to memory of 1284	3784	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	106
PID 1284 wrote to memory of 2128	1284	cmd.exe	108
PID 1284 wrote to memory of 2128	1284	cmd.exe	108
PID 1284 wrote to memory of 3704	1284	cmd.exe	113
PID 1284 wrote to memory of 3704	1284	cmd.exe	113
PID 3704 wrote to memory of 3012	3704	spoolsv.exe	114
PID 3704 wrote to memory of 3012	3704	spoolsv.exe	114
PID 3704 wrote to memory of 3092	3704	spoolsv.exe	115
PID 3704 wrote to memory of 3092	3704	spoolsv.exe	115
PID 3012 wrote to memory of 5864	3012	WScript.exe	118
PID 3012 wrote to memory of 5864	3012	WScript.exe	118
PID 5864 wrote to memory of 5400	5864	spoolsv.exe	119
PID 5864 wrote to memory of 5400	5864	spoolsv.exe	119
PID 5864 wrote to memory of 2964	5864	spoolsv.exe	120
PID 5864 wrote to memory of 2964	5864	spoolsv.exe	120
PID 5400 wrote to memory of 5212	5400	WScript.exe	122
PID 5400 wrote to memory of 5212	5400	WScript.exe	122
PID 5212 wrote to memory of 4360	5212	spoolsv.exe	123
PID 5212 wrote to memory of 4360	5212	spoolsv.exe	123
PID 5212 wrote to memory of 5868	5212	spoolsv.exe	124
PID 5212 wrote to memory of 5868	5212	spoolsv.exe	124
PID 4360 wrote to memory of 2020	4360	WScript.exe	125
PID 4360 wrote to memory of 2020	4360	WScript.exe	125
PID 2020 wrote to memory of 2988	2020	spoolsv.exe	127
PID 2020 wrote to memory of 2988	2020	spoolsv.exe	127
PID 2020 wrote to memory of 1292	2020	spoolsv.exe	128
PID 2020 wrote to memory of 1292	2020	spoolsv.exe	128
PID 2988 wrote to memory of 376	2988	WScript.exe	132
PID 2988 wrote to memory of 376	2988	WScript.exe	132
PID 376 wrote to memory of 4864	376	spoolsv.exe	133
PID 376 wrote to memory of 4864	376	spoolsv.exe	133
PID 376 wrote to memory of 1216	376	spoolsv.exe	134
PID 376 wrote to memory of 1216	376	spoolsv.exe	134
PID 4864 wrote to memory of 2168	4864	WScript.exe	135
PID 4864 wrote to memory of 2168	4864	WScript.exe	135
PID 2168 wrote to memory of 4516	2168	spoolsv.exe	136
PID 2168 wrote to memory of 4516	2168	spoolsv.exe	136
PID 2168 wrote to memory of 4392	2168	spoolsv.exe	137
PID 2168 wrote to memory of 4392	2168	spoolsv.exe	137
PID 4516 wrote to memory of 2572	4516	WScript.exe	138
PID 4516 wrote to memory of 2572	4516	WScript.exe	138
PID 2572 wrote to memory of 2376	2572	spoolsv.exe	139
PID 2572 wrote to memory of 2376	2572	spoolsv.exe	139
PID 2572 wrote to memory of 2900	2572	spoolsv.exe	140
PID 2572 wrote to memory of 2900	2572	spoolsv.exe	140
PID 2376 wrote to memory of 4284	2376	WScript.exe	145
PID 2376 wrote to memory of 4284	2376	WScript.exe	145
PID 4284 wrote to memory of 4904	4284	spoolsv.exe	146
PID 4284 wrote to memory of 4904	4284	spoolsv.exe	146
PID 4284 wrote to memory of 3388	4284	spoolsv.exe	147
PID 4284 wrote to memory of 3388	4284	spoolsv.exe	147
PID 4904 wrote to memory of 840	4904	WScript.exe	148
PID 4904 wrote to memory of 840	4904	WScript.exe	148
PID 840 wrote to memory of 4604	840	spoolsv.exe	149
PID 840 wrote to memory of 4604	840	spoolsv.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
"C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ENuajpg87c.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2128
- - C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
    "C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\726b0f75-8494-45b3-b167-29d3598d6ce8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c807bbc5-ff4b-4c36-b318-155fc4c0bac4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5400
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f179c3-8aa4-450c-b4ac-4c0218625e1a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35f522e-589f-4373-bf7d-ea9116905764.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00ea8d7c-6ff9-4bdb-a203-dce3f91309be.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86ce536e-8186-4668-ac00-8ace8f508023.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0cf1cc6-adac-44a0-a772-52c30f8c367a.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3f7785a-a433-4a94-ba00-7a582ad6a44a.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70149b62-bdea-4dac-8ec9-184bd9470e68.vbs"
        20⤵
        
        PID:4604
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f388a03-260d-434e-be81-bc05d3459c7a.vbs"
        22⤵
        
        PID:2080
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a76877e-1ad5-40ce-8b5c-886c61198fcb.vbs"
        24⤵
        
        PID:376
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da8dec18-2b6b-479e-9a56-f0cea59aa0bd.vbs"
        26⤵
        
        PID:4828
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9abeaaea-257a-4c8b-a16e-84a9795dd0c4.vbs"
        28⤵
        
        PID:1008
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        
        C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e68e76d1-5ab1-4d8e-a28f-7dfa8c674d0b.vbs"
        30⤵
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c586ebc1-eb3f-4624-a92a-6c35ec55486e.vbs"
        30⤵
        
        PID:5972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79db821-3382-4ea5-817d-71a33a2c9546.vbs"
        28⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e322811d-2df3-4d52-b023-b27ee96087bc.vbs"
        26⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4eaf61d-38d7-42fa-bf74-a03e0244f75c.vbs"
        24⤵
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c92f747-0e48-4d88-8c1f-add8c1544dfa.vbs"
        22⤵
        
        PID:4336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da93884-1210-4c20-9482-7a7930c201cf.vbs"
        20⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e0c2312-a149-4cf9-bfac-4778fe7d013c.vbs"
        18⤵
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\310a2275-7ce1-4c5a-87c0-c28a0360daef.vbs"
        16⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1544ff9-e4df-4687-9e68-1c46014b5234.vbs"
        14⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab7dee8a-6179-4ef9-9503-228d6a3b9cd4.vbs"
        12⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\910b1a4c-3281-4d7b-9ddc-38545ec0480e.vbs"
        10⤵
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\675520a4-66a7-45e5-9132-6ff00a243f64.vbs"
        8⤵
        
        PID:5868
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12a3f3a-dcbe-438e-85d4-7fd39e769bb2.vbs"
        6⤵
        
        PID:2964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7010f9c-a458-44fc-8735-1fb396f9f2b1.vbs"
      4⤵
      PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e6" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e6" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3930c254bc452c4fd482e3059b51aa04

SHA1
1c4bdb41f3a7c9d4ee3b8006cc1c495eedb072e2

SHA256
dc600748250d0dd0ffa2678049fd27ec8e56e262601f3d8a1fd7165b03f97fb8

SHA512
888565d3356b5fc9c5b55d6842c520487219bc2220df2a56cb74686cc36ebd0fbd1ab9f2a17f93e9c15031c8d6366031a4fd2c1f8a6f8cf96bc3a5939f31a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b9ebff96ce87bb2948f7decf425a335

SHA1
3172582f4a97c15d0c5162c547fe81b811de8e74

SHA256
9e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c

SHA512
4eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357

Download Submit
C:\Users\Admin\AppData\Local\Temp\00ea8d7c-6ff9-4bdb-a203-dce3f91309be.vbs

Filesize
720B

MD5
e428a45fcb8aed1ae39fa6eaa671281e

SHA1
f7c62bc96aadf9c1c9d2c9c40afb49129dbb365a

SHA256
936cfa52e9d1bd1b7835ac7a5d1de10760e8741ec2c38fcc5b002a222eca7488

SHA512
32251eeababf030bba94c3d1e955c5e06cc886a14e92bcb1d2b25ada5567e0f1339e0ab300281cc4ff3b58ee0ddf65c6b558210f15dc45bc5620042d3d3df60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00f179c3-8aa4-450c-b4ac-4c0218625e1a.vbs

Filesize
721B

MD5
216ac7fa83e742bffc50ee64f5e58814

SHA1
3cc8f23c36ad130c4c4cbc4ff0ca35117f87812e

SHA256
ed8ad49b636b09f3952cd1517c40fec2ad2d541457394b2ed48754bb8de8e23c

SHA512
d7625ee4bc1f16af1c8262ee5f4f27af50fb02ec66844417bcd09e0d59e9ca40399b5a2fdb280095a03d3f4f102935198c01a6dd2215524ca4d89ed5e6d8bfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a76877e-1ad5-40ce-8b5c-886c61198fcb.vbs

Filesize
721B

MD5
ac2899accc45bd3fb341586c215b3603

SHA1
eafd37b41bc1e3fa44b9b9a86acc366c46279e99

SHA256
d04514afafad973b76786dac14a342d4316c3c1a5057a196bcf103657c29349e

SHA512
7ee5fe8f91acbaf1ae986aa761ffa9d003eb1949906f01cb1611c00a016bb93bd0119627cbaaadee4380eea9dc1bd122831731e63c64c4e8ee33dd7536bae118

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f388a03-260d-434e-be81-bc05d3459c7a.vbs

Filesize
721B

MD5
0f06579e7b2a911359c0f2444a001dd4

SHA1
0f32090fc89f9926a951a8e86a938b57bf219f41

SHA256
32085ef0eb1c85d4083e1cc9e897ae1d314a70cc23bcabc8a0e7be63e32379aa

SHA512
35ec6976527a8cd1b07d7458fdf6f5cda8d75025869c836e025531120bef99996ab97314a84790b94ecb0e7296ceb50e2af4ca670f82100b18cbec39a0b7fe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\70149b62-bdea-4dac-8ec9-184bd9470e68.vbs

Filesize
720B

MD5
30c3a1df6892ca07ae6297d16c9f8b20

SHA1
ee9a874ddbb8437666cc09af4eb40c5bd0b6c61f

SHA256
6cfa7d53c52a3b2eab93291fce9429c77a98ecf23c418258f3454c95859ac4e0

SHA512
bf5c9ecc16c150525be48c914d2077fdd7bb6107a92625e008557d862cb1aa546acf7904bf56c4eebfaf217184c5b7ace3b38dfcd0cc20aa5821b5b05ef398f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\726b0f75-8494-45b3-b167-29d3598d6ce8.vbs

Filesize
721B

MD5
be6d1f4b80f17a2b0dc74aa9df3a2fb8

SHA1
246587c59afc083bc84f9139293b907066a5b503

SHA256
a269c739424a82a85223532fd51e65c8d98ef99e5acc41f0a2259de1eab01eeb

SHA512
38f7d74dcff44cb90e09d8ac66f541eabbc241f94b7fc41f7effd95886c74a2c3c17b6bf668961e7d8fcc47cbbb0a318c70b499ea2d33dfe59b9f389bb1cec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\86ce536e-8186-4668-ac00-8ace8f508023.vbs

Filesize
721B

MD5
ffae7f5c90a8f496799af5be874da94d

SHA1
4fe1d13f01b8ad727f3599919e00bd109b2b3507

SHA256
5a739cbf85ccefee5186faefefb12b0d67de7026ea58f58b7b744a4737181bb2

SHA512
6cfc4c76a593bbadfd68ecadfe88cf744fd73b71484cdbaff0f8b910092f46e00a0815cf9c070d518ad771536a009ec05dec56bae81817630b589eae04cbaf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\9abeaaea-257a-4c8b-a16e-84a9795dd0c4.vbs

Filesize
721B

MD5
ade95bd718d7975a87143edacb8fb3aa

SHA1
16aaa9932e175b231b95c7c0ec22e3bf057f7b0b

SHA256
2feba0a7645a0ad606e54cddd73b767322307e890f33744b580bd360b8d7f744

SHA512
351b781db846c9c0f15e36ae8a7436aaa9998b300ca4355318888f1cda6e7db425e9b53392b681da3e8d4b412fca29eaf6fb3d5e7f66bae1ad65e34e393c4eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENuajpg87c.bat

Filesize
210B

MD5
d2abdd9f2535d20b37889d5848ab5c53

SHA1
b63e56f99706eec2c1785fd4c52c6c79ac63022f

SHA256
93f2888a5af4363055932ebd384c66a753111b4b35075255f4b5e032ec8ae209

SHA512
4b1a4e564ddebdeb8ef26b70f100d0655d590a6c611b79e9140678b3389bc6e1b8cc071f51619a3f032797a9da64e19b1dc6143af8cd0fd9cd4fc75c7ad28135

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX8CA1.tmp

Filesize
1.6MB

MD5
072d2202b56c22e2f03d6d9f20daf3d4

SHA1
0ab55b346a913174a29e2fdc4f27e9d75894706e

SHA256
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e

SHA512
c641638b944a9c57f1127a67a5afbf961498e72900fad69d720b778922823434baf8d2843333d761ae6f5516a3d03427a550d0a4b9eabb39ee7dd102d681e47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ykiw0du.hy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3f7785a-a433-4a94-ba00-7a582ad6a44a.vbs

Filesize
721B

MD5
388c9b2f024ee6e3a965f043f1bd8886

SHA1
b21dfab734c87c836af1b7275c342168773a43c2

SHA256
f522bdd47942fbf262ec1a98919edb74ef7de078338297d5df449fc5dc39ce83

SHA512
5d536921584e506b368f80ca6b52e137670c484e3cd3f767d8931c6912b7cfd1e845a94b80bf832ff40f391b26413ed277c6852f4b6736e53af0fd9fb1ba46d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c807bbc5-ff4b-4c36-b318-155fc4c0bac4.vbs

Filesize
721B

MD5
a7e9d3388a3ac4610c0b98543015ca87

SHA1
cfc2634dd3961f9311c1b82dda8be3cd89ac1e62

SHA256
c802abd1ec0101d08736a0dafd3a618e2f7b7316d982b9c40798980a3642f6e8

SHA512
20910ce98a511703dbe76d45eb0e9c7105950f1f248ea7b4845ceec7335cb455ac9f63ed6a88e895924e3d7046aab5a36a0af9bbd8e975b33146bbd3f2e145ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7010f9c-a458-44fc-8735-1fb396f9f2b1.vbs

Filesize
497B

MD5
7269cdd7ad03f82b4f0cb77e43ebc662

SHA1
9d5ba7808124dd8cb8daf27f349e2c9793fc7a78

SHA256
5be35ae22b23c2f737427daa8ae68928910225756025c9830066fa8b6037df7a

SHA512
6389cc4c8aee956fe9203937676b87e618d8ef96a794b842472da7bb726965ada0b679497652bfe2c5e092dd8b38fb593f14b758f8bdfdcdf856d7b3d72e380f

Download Submit
C:\Users\Admin\AppData\Local\Temp\da8dec18-2b6b-479e-9a56-f0cea59aa0bd.vbs

Filesize
721B

MD5
f480f5ad9b9b96af40d0bef055b0bc68

SHA1
e06bb4c4bf469df25df15c7eb521c414260b8853

SHA256
fd2687cff6c8898a74281186845448686521f7b11e6b5e9990a5b7661b24f8a9

SHA512
aea72d5dfe0d879ee740c09d1af1b2fd65b38008e8df97a33091993a5672d528d0ff336afbe00816c0d880ca5684c3608ef5ed55a3e70bcadf2a62d14506df7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cf1cc6-adac-44a0-a772-52c30f8c367a.vbs

Filesize
721B

MD5
78e0bbf31e32d331897e8fbb45226558

SHA1
013455db13b53b109008bd500cd293d811cb1650

SHA256
41211fe7d312c11be210f0d41a298c627a49089973b8e6b67a8c3ac462c7ffba

SHA512
73be5f0abb032b829d984203801967791cb638c0f01fa35397400f99734599e2c72d13d7cdf7c2c4eeaf2ab25f114530126e9d3d33bbfd222455f5470b49984b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e35f522e-589f-4373-bf7d-ea9116905764.vbs

Filesize
721B

MD5
953fb1aee2ba399c4e14aea2bb20a3ce

SHA1
561b6dd3a617d2699c999e212d308831bdb32f35

SHA256
71548fd5edd9d1be54ea093cb2b85f05c026af1f2c0e14ebd9624f7437024e39

SHA512
1ca4bd94153e2a67c9d24b3d18f50f75a9bf7ee2a87161e05dc9fd151643c270d84d1eee0a65607b68142864587ce486ad536985fd6600429ec2963a9e559209

Download Submit
C:\Users\Admin\AppData\Local\Temp\e68e76d1-5ab1-4d8e-a28f-7dfa8c674d0b.vbs

Filesize
721B

MD5
a10a578a3d268069967e955f9dea2a87

SHA1
7bc68fae91060ac1f994b4d9e2f9c6abdbd57086

SHA256
4fc26c2c9aeb74f4cef750a069f0d40dc08dd1ca86079f7290c11a289b69b1e7

SHA512
bc8b895d5e704a3dfea64c6886194718b638d5dfc854da9f55f9ccf8e2e879ef04e5971b07ae17293a7f94fb2bbbd849371b57a0786d64e6f64f55c04e3aa3a9

Download Submit
memory/2572-196-0x000000001C070000-0x000000001C172000-memory.dmp

Filesize
1.0MB

Download
memory/3784-10-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/3784-11-0x000000001C230000-0x000000001C23C000-memory.dmp

Filesize
48KB

Download
memory/3784-1-0x0000000000BF0000-0x0000000000D92000-memory.dmp

Filesize
1.6MB

Download
memory/3784-16-0x000000001C280000-0x000000001C28A000-memory.dmp

Filesize
40KB

Download
memory/3784-14-0x000000001C260000-0x000000001C268000-memory.dmp

Filesize
32KB

Download
memory/3784-17-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/3784-15-0x000000001C270000-0x000000001C278000-memory.dmp

Filesize
32KB

Download
memory/3784-12-0x000000001C240000-0x000000001C24A000-memory.dmp

Filesize
40KB

Download
memory/3784-13-0x000000001C250000-0x000000001C25E000-memory.dmp

Filesize
56KB

Download
memory/3784-98-0x00007FFE76B50000-0x00007FFE77611000-memory.dmp

Filesize
10.8MB

Download
memory/3784-0-0x00007FFE76B53000-0x00007FFE76B55000-memory.dmp

Filesize
8KB

Download
memory/3784-9-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/3784-8-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/3784-7-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/3784-4-0x000000001C010000-0x000000001C060000-memory.dmp

Filesize
320KB

Download
memory/3784-6-0x000000001BFD0000-0x000000001BFE6000-memory.dmp

Filesize
88KB

Download
memory/3784-5-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/3784-3-0x0000000002E80000-0x0000000002E9C000-memory.dmp

Filesize
112KB

Download
memory/3784-2-0x00007FFE76B50000-0x00007FFE77611000-memory.dmp

Filesize
10.8MB

Download
memory/4728-78-0x000001A322B00000-0x000001A322B22000-memory.dmp

Filesize
136KB

Download