dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Size

1.6MB
MD5

ec20848f83db3017eaf15c4f841fddc5
SHA1

3f46877c232c250f7538c26b863497d7c0ffd538
SHA256

7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23
SHA512

d00d7f760f5966860a0eb4233c9d5b0bcdd2c28ccc64099e5fd728b15c08b524aed4f897244415815d31526a4ca8e5779bf137522610d9565abed8cf9fafa03e
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2652	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2652	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral16/memory/1176-1-0x0000000000210000-0x00000000003B2000-memory.dmp	dcrat
behavioral16/files/0x00080000000241fd-28.dat	dcrat
behavioral16/files/0x000700000001e6db-60.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5276	powershell.exe
2992	powershell.exe
3084	powershell.exe
3020	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
1588	spoolsv.exe
5020	spoolsv.exe
1708	spoolsv.exe
6084	spoolsv.exe
4756	spoolsv.exe
3720	spoolsv.exe
380	spoolsv.exe
3852	spoolsv.exe
4996	spoolsv.exe
2532	spoolsv.exe
3876	spoolsv.exe
736	spoolsv.exe
1536	spoolsv.exe
3732	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\886983d96e3d3e	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX622B.tmp	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX62A9.tmp	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCX6026.tmp	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File opened for modification	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX6025.tmp	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4704	schtasks.exe
4728	schtasks.exe
4696	schtasks.exe
4892	schtasks.exe
4764	schtasks.exe
2904	schtasks.exe
4600	schtasks.exe
4812	schtasks.exe
4644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
5276	powershell.exe
5276	powershell.exe
3020	powershell.exe
3020	powershell.exe
3084	powershell.exe
3084	powershell.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
5276	powershell.exe
3020	powershell.exe
3084	powershell.exe
1588	spoolsv.exe
5020	spoolsv.exe
1708	spoolsv.exe
6084	spoolsv.exe
6084	spoolsv.exe
4756	spoolsv.exe
3720	spoolsv.exe
380	spoolsv.exe
3852	spoolsv.exe
4996	spoolsv.exe
2532	spoolsv.exe
3876	spoolsv.exe
736	spoolsv.exe
1536	spoolsv.exe
3732	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1588	spoolsv.exe
Token: SeDebugPrivilege	5020	spoolsv.exe
Token: SeDebugPrivilege	1708	spoolsv.exe
Token: SeDebugPrivilege	6084	spoolsv.exe
Token: SeDebugPrivilege	4756	spoolsv.exe
Token: SeDebugPrivilege	3720	spoolsv.exe
Token: SeDebugPrivilege	380	spoolsv.exe
Token: SeDebugPrivilege	3852	spoolsv.exe
Token: SeDebugPrivilege	4996	spoolsv.exe
Token: SeDebugPrivilege	2532	spoolsv.exe
Token: SeDebugPrivilege	3876	spoolsv.exe
Token: SeDebugPrivilege	736	spoolsv.exe
Token: SeDebugPrivilege	1536	spoolsv.exe
Token: SeDebugPrivilege	3732	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 5276	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	100
PID 1176 wrote to memory of 5276	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	100
PID 1176 wrote to memory of 2992	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	101
PID 1176 wrote to memory of 2992	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	101
PID 1176 wrote to memory of 3084	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	102
PID 1176 wrote to memory of 3084	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	102
PID 1176 wrote to memory of 3020	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	103
PID 1176 wrote to memory of 3020	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	103
PID 1176 wrote to memory of 1588	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	108
PID 1176 wrote to memory of 1588	1176	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	108
PID 1588 wrote to memory of 3488	1588	spoolsv.exe	109
PID 1588 wrote to memory of 3488	1588	spoolsv.exe	109
PID 1588 wrote to memory of 2044	1588	spoolsv.exe	110
PID 1588 wrote to memory of 2044	1588	spoolsv.exe	110
PID 3488 wrote to memory of 5020	3488	WScript.exe	114
PID 3488 wrote to memory of 5020	3488	WScript.exe	114
PID 5020 wrote to memory of 2132	5020	spoolsv.exe	115
PID 5020 wrote to memory of 2132	5020	spoolsv.exe	115
PID 5020 wrote to memory of 1412	5020	spoolsv.exe	116
PID 5020 wrote to memory of 1412	5020	spoolsv.exe	116
PID 2132 wrote to memory of 1708	2132	WScript.exe	117
PID 2132 wrote to memory of 1708	2132	WScript.exe	117
PID 1708 wrote to memory of 2904	1708	spoolsv.exe	119
PID 1708 wrote to memory of 2904	1708	spoolsv.exe	119
PID 1708 wrote to memory of 4712	1708	spoolsv.exe	120
PID 1708 wrote to memory of 4712	1708	spoolsv.exe	120
PID 2904 wrote to memory of 6084	2904	WScript.exe	125
PID 2904 wrote to memory of 6084	2904	WScript.exe	125
PID 6084 wrote to memory of 2152	6084	spoolsv.exe	126
PID 6084 wrote to memory of 2152	6084	spoolsv.exe	126
PID 6084 wrote to memory of 5888	6084	spoolsv.exe	127
PID 6084 wrote to memory of 5888	6084	spoolsv.exe	127
PID 2152 wrote to memory of 4756	2152	WScript.exe	132
PID 2152 wrote to memory of 4756	2152	WScript.exe	132
PID 4756 wrote to memory of 4064	4756	spoolsv.exe	133
PID 4756 wrote to memory of 4064	4756	spoolsv.exe	133
PID 4756 wrote to memory of 2512	4756	spoolsv.exe	134
PID 4756 wrote to memory of 2512	4756	spoolsv.exe	134
PID 4064 wrote to memory of 3720	4064	WScript.exe	135
PID 4064 wrote to memory of 3720	4064	WScript.exe	135
PID 3720 wrote to memory of 5868	3720	spoolsv.exe	136
PID 3720 wrote to memory of 5868	3720	spoolsv.exe	136
PID 3720 wrote to memory of 3144	3720	spoolsv.exe	137
PID 3720 wrote to memory of 3144	3720	spoolsv.exe	137
PID 5868 wrote to memory of 380	5868	WScript.exe	138
PID 5868 wrote to memory of 380	5868	WScript.exe	138
PID 380 wrote to memory of 2276	380	spoolsv.exe	139
PID 380 wrote to memory of 2276	380	spoolsv.exe	139
PID 380 wrote to memory of 760	380	spoolsv.exe	140
PID 380 wrote to memory of 760	380	spoolsv.exe	140
PID 2276 wrote to memory of 3852	2276	WScript.exe	142
PID 2276 wrote to memory of 3852	2276	WScript.exe	142
PID 3852 wrote to memory of 4176	3852	spoolsv.exe	143
PID 3852 wrote to memory of 4176	3852	spoolsv.exe	143
PID 3852 wrote to memory of 972	3852	spoolsv.exe	144
PID 3852 wrote to memory of 972	3852	spoolsv.exe	144
PID 4176 wrote to memory of 4996	4176	WScript.exe	145
PID 4176 wrote to memory of 4996	4176	WScript.exe	145
PID 4996 wrote to memory of 4848	4996	spoolsv.exe	146
PID 4996 wrote to memory of 4848	4996	spoolsv.exe	146
PID 4996 wrote to memory of 2828	4996	spoolsv.exe	147
PID 4996 wrote to memory of 2828	4996	spoolsv.exe	147
PID 4848 wrote to memory of 2532	4848	WScript.exe	148
PID 4848 wrote to memory of 2532	4848	WScript.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
"C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Users\Default\Desktop\spoolsv.exe
  "C:\Users\Default\Desktop\spoolsv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\551364c6-76cc-47fa-9e44-97d081c79658.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Default\Desktop\spoolsv.exe
      C:\Users\Default\Desktop\spoolsv.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4840dcf5-08a4-436a-b734-06c613d3f265.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bdbaf06-0c93-4792-a66c-cfdd30bebec6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b9ff7cb-959e-4451-81f3-83ccb0008913.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b0a6c33-715a-49e8-b4fc-db63b1503a2a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c25024-e064-4fdb-8df3-56cc1bb15904.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5868
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c72f8b0-bfb2-4d38-b385-696fea262283.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0aad1ef-3810-4008-b9ab-642a07e4dde4.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f05eb8-073f-42dc-ae53-1830fa842092.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bab20799-c691-4865-87de-859e3b5b1306.vbs"
        21⤵
        
        PID:5204
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a061672f-b0e2-46c6-8af3-dab06f105e03.vbs"
        23⤵
        
        PID:2932
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff55d8e-d710-40a6-9452-f9f92c55bbea.vbs"
        25⤵
        
        PID:4700
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0dc306-82f4-4107-8527-2d3022741c6d.vbs"
        27⤵
        
        PID:4064
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49de433c-9aa8-4d23-88ab-6b06671a8be6.vbs"
        29⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c52525f9-de3e-4544-892e-faa661cf5fbc.vbs"
        29⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9d75e40-8e4a-4793-bf80-051ca73a5d4f.vbs"
        27⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f493ef-81fa-41d8-9db3-8cc316a3e73e.vbs"
        25⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be68a344-c799-49b6-9208-d2f1bc67035c.vbs"
        23⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f5d90c-a44e-4ef0-9731-987e4960bbfc.vbs"
        21⤵
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64a03939-23f2-486a-8787-36fae8f5a859.vbs"
        19⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84612d8d-f799-4f23-9e50-1cfe8ef7454c.vbs"
        17⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fca933b-db69-4f64-ad24-1e5251779202.vbs"
        15⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\630dfff0-93e0-4254-959c-3ef8f53a6e4c.vbs"
        13⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d9cc73-79d7-43ff-b7b0-3832a72eb8a8.vbs"
        11⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f4e21fc-85f2-4736-87bf-648a33bb6a4d.vbs"
        9⤵
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8f9beb-b015-459e-ba1d-62403c5dc89c.vbs"
        7⤵
        
        PID:4712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\293e2b12-e233-4916-9652-41b77dd465ec.vbs"
        5⤵
        
        PID:1412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f31fda4-979c-4bb5-b37d-1f584a307e38.vbs"
    3⤵
    PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe

Filesize
1.6MB

MD5
e89b185c310e6ab38645f478c210336f

SHA1
6ff6db56cf17d6d3e299895245b334b47757d793

SHA256
944c054b01681e11685c6c8a24c5f2cb78eb733d8c66b6a9485078cb89c77707

SHA512
dad169ab187595b489d9d4d045df41372c45b838aafb94d3dccba304a40435ab63c60cfe5d8f666774598332d2abfbe7fa0bf4e8072cd35d2246ba45c7444f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b594c0a5591fab95a43185dd9944a231

SHA1
3d725e779790f3525ba12b0666f0a3a235644fed

SHA256
8478ca44e6145dbe6664f871852535793f5ab6d86b4c78c611165bdfb91f159a

SHA512
452fc6194d00c466a3ceb98d2cce2e4262f6b0998b99c6b2ccd842d07449b177d1ce9ff4e7659e0b358eedf44bdc20cc30e3fdb2e4b61e56d94e3965f48cdb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
164a45e66dbe5b4c1fad9ced25394a84

SHA1
5f90cf92b891734679ddb12be560b2ec4c6282d7

SHA256
e8f1393a9e1a21ef9c18231e6d1301624694e6036ec8ddf1234219eb96222a28

SHA512
d05e8eebd235ed67a9a4c8f13004cf576df60ae068b81cd11a9d3de69cde110bf3983005a55adac948c5e8f5843b44c865b56dad4d8a37de3d2e442c4ef2eb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b9ff7cb-959e-4451-81f3-83ccb0008913.vbs

Filesize
712B

MD5
dcab68b1c16e4083ae96f0c23d62971f

SHA1
91b29260c17ad384c7505592a714ede80573fbd6

SHA256
6bee6ce1c645028e909e21c8c4d19a41dc58999935a9e828226c0dbbe48c038d

SHA512
c4050b4c72d4cbb844d2894f187f8e306b8212d6dba27daf496d860c368b04c48723fac4d1662091752f6ff7d44873bd483e1997be1d2c1e5ee9988bc4ad78f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c72f8b0-bfb2-4d38-b385-696fea262283.vbs

Filesize
711B

MD5
f5ca711d1424b37f8f7d9622503425d2

SHA1
741a2e57fddb855cacebce3a029c22870aec6a1d

SHA256
4944f5e54b3c26133ce1e7e79942f73e9b678b3bdad0bda28e5f4aa73b831a10

SHA512
3888a86dcf52d8d02dd73f29b4e3cb886d987955e5ae09d60e12c144f4ddaef6436e53ca2a11c6a0598fd3080b6879132e946b922568b5ad269733d6d577d204

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f31fda4-979c-4bb5-b37d-1f584a307e38.vbs

Filesize
488B

MD5
59fcd04bb21f0cff371504e0a440d8be

SHA1
a55b0709eac1161d31aa5e8c684cb1f91e115d4b

SHA256
13ce34861469d560de70426c2424bc306a884bff1dedb00f6534a8ab5ad36f8f

SHA512
d860e601652079686f5ca88efee5a415eaa2543ad644a68c8c62b5b42c70de3e86d7ad0fa53aea0ed37dda3704cf7ff7b236f60502ebfdc71fced3a4d977dd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4840dcf5-08a4-436a-b734-06c613d3f265.vbs

Filesize
712B

MD5
c9d2703e173a6a2f6e896ef8cfa38767

SHA1
d4cd5e57901da27caa6d09a2affd43694afc0808

SHA256
caa676e28dd1bdaa8e97fc225ac8aac65b785b55d1e81fa369c01c926c72ab7b

SHA512
d26f30715024f89b899c23292a3c9af78e3ee6b29577d8d929df1881283d555ea68c5d0ff0d6666a982551c7ba6f2ae59eba5018dfb405a8ab32d9ca7b7b9e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\49de433c-9aa8-4d23-88ab-6b06671a8be6.vbs

Filesize
712B

MD5
33d1863ba2eed5fe33252ac6ab64bcfd

SHA1
0230ceba17e1d36c08fe32b365166e84168b1675

SHA256
aa311d2be38b529f882e23d9f0f61bb1cd568856b6f8f44b3cb637998e71b730

SHA512
c214c4fcdfa2e52f4f545e75af0a20aa70b6b7e2df99946ab8eec70af9d1f938cc6e70a5fa1e100482472727cc4c469743f6b8b0ae882aa2c5ee16df6e10fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\53f05eb8-073f-42dc-ae53-1830fa842092.vbs

Filesize
712B

MD5
87c70e7897c4c1ba85e5e86f5129d9c1

SHA1
b27762ef431e3a75baf66bb780a7d5c7f5b18f92

SHA256
3c473c04ec9287bda0fd30578e96e75654fcdf2d085c0258dc6ca7aa69e7b6d7

SHA512
b371c8843604ed882c3b745964a4638eeb151b3c923c14979387d5955948b41a8ec3de2211f85768ec04ceb53daf51ed9dad9ae9a5ae19120ce54b677be1740a

Download Submit
C:\Users\Admin\AppData\Local\Temp\551364c6-76cc-47fa-9e44-97d081c79658.vbs

Filesize
712B

MD5
ad5816496b95a70c5c9d9a61b8384159

SHA1
f2eba81212f5279e7d2a754fcdbb4887e2909233

SHA256
97ecdf60e5b8a6d35445349ff62c72a4b44c5520fd38667962133c9a62efe0ca

SHA512
9e93ad59207ae0af66dec94515b800fd506f7fe139ae01b3eaf24ff0992864e975a7d6839bb1a3aa2118a7d55471e237cce7d7e08ba1fd46d58bf3aabf567f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b0a6c33-715a-49e8-b4fc-db63b1503a2a.vbs

Filesize
712B

MD5
751a75843a4d8a977d2c613a9ad79105

SHA1
94c8e4667e3ef102ba970f3065c77cef0be6f8b5

SHA256
62d3fc4672af4338734dd138a8515b546634ddc8c0857f95472a6538dcec013f

SHA512
6d09aa94318743636344fa32954e46fac0d3694abfe54389d730a9984dc871aae5e5fa5b0c356ae9ffc7dc041cbc0e05c6882e5bc46db766f130f59196ee7409

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bdbaf06-0c93-4792-a66c-cfdd30bebec6.vbs

Filesize
712B

MD5
4c7510d87b2c14f9199536ad6c0038d8

SHA1
8508c8ace2b9ad6c34957a1129594e1a3e945391

SHA256
2962c120d5e5e9cf1cf9d4a2867b39657259238fc4d00370d55f758437b7e6e4

SHA512
c5e155df655555060c413304bab66b2aa6c087adb72a2b0f53501f46a183014e5c8bcb6c5890f89fae9090a10cb28f36c3c569fac824be608f1c129c4421d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ff55d8e-d710-40a6-9452-f9f92c55bbea.vbs

Filesize
711B

MD5
ba78027ecd75be86c444aa7bad8f342b

SHA1
d7c86ace4d16b5b9e9c2dadb3d8dce5c963cf58d

SHA256
25974ff24fc13862fd0bffce0c8a5ddfb6c7132397dc85c3449cb035f54f6d75

SHA512
bc9c6b66d69e7469e2001a26edce62f343f1c97cf09af47981bdf2922c39d725ff9267c32c18c3ada15eee980560e182fb7d57799cfb03121a2accf141cecebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX5B8E.tmp

Filesize
1.6MB

MD5
ec20848f83db3017eaf15c4f841fddc5

SHA1
3f46877c232c250f7538c26b863497d7c0ffd538

SHA256
7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23

SHA512
d00d7f760f5966860a0eb4233c9d5b0bcdd2c28ccc64099e5fd728b15c08b524aed4f897244415815d31526a4ca8e5779bf137522610d9565abed8cf9fafa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pbtwhsj.frp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a061672f-b0e2-46c6-8af3-dab06f105e03.vbs

Filesize
712B

MD5
d2ef41f313ced23a297f517a295ca2cc

SHA1
dc7c648a9b1916a283a5a6ab70ebe0dad7124e34

SHA256
e185db291c483f8b4f4120527b1997a694e38af84170f8c57e12a588a8cd9699

SHA512
d787072cf8caf26f172cb04c7a5fc10bd788524ca53532a2bad132ffec1857f7be75b05941ee4ba0585062bfc349ceed5375149e145ba70e2ea1c762488c6a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\bab20799-c691-4865-87de-859e3b5b1306.vbs

Filesize
712B

MD5
e419a75ba4152d9f60bab244e61025e7

SHA1
1121c19c7486d1e3aaf8ef6e7dc35fcbc42ad32a

SHA256
ad7d3fbb15c1619cdfdf2004fc47d258c5159212ae6cdca9b51cc797dc9c836a

SHA512
5f1d24ab2808ff371e13a5b73c9e6f4a462d86bc2c1145e8e7e5c53cc69afa34fc696fa1f15be4b1543ae7a2982caa85cbf898774dd8c642ff1e353433eacb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2c25024-e064-4fdb-8df3-56cc1bb15904.vbs

Filesize
712B

MD5
50d34085340de8dbe929f3e55f38e69d

SHA1
d0ccb8c88789bda7ba70780e05101e3bae720c91

SHA256
a92415811b9569984a41ee544de7d5c09ea8391b81db3112857cbdb5794d1e4c

SHA512
d244ce80a2866834de57c1f1568da1a0ce66b5a86e24cfcc58434c57bde0a383580ae180d46e81e58c0c91f30035491368b0ef170c3717183a8b1e59f9ea4383

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0dc306-82f4-4107-8527-2d3022741c6d.vbs

Filesize
712B

MD5
e4a8d5cece9fbc5b9e8d5bfc365232cf

SHA1
145a4acc20486c29d2a04394bd6f0bdae4feda01

SHA256
efe38a647982a905dda6b8fe4886ed6ffe99552356b137cd29089b2fefba9ad2

SHA512
00fbaa8c7f5a63bcf2a2c0e031c2e408d81ff8f2c5c7a6d80da70ba6be1698a51391a7b105e3e5f436c55ee8f745230bcd98a4b6329a4d81cb7a50a183a362fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0aad1ef-3810-4008-b9ab-642a07e4dde4.vbs

Filesize
712B

MD5
ce6120b964b74d047f72f2f662089f9a

SHA1
3bdaf21306524efc728c1eb6dddde5cf9c03c424

SHA256
ca8aff34d685518d9f7fa912c9b26cfe309e8daa73ae0134cc99b9c326e449b7

SHA512
acaf805e7758387cc21b8fe3cbd28af5dc7efc5a1d7c61c0ab3f329edc92e81e9683a7c805f9f5da4f5bf6ac1404fcc5713081e0e3bfee7bb37133785c510726

Download Submit
memory/1176-8-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/1176-12-0x000000001B050000-0x000000001B05A000-memory.dmp

Filesize
40KB

Download
memory/1176-169-0x00007FFDEDD70000-0x00007FFDEE831000-memory.dmp

Filesize
10.8MB

Download
memory/1176-9-0x000000001B010000-0x000000001B018000-memory.dmp

Filesize
32KB

Download
memory/1176-6-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/1176-15-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/1176-7-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1176-4-0x000000001B670000-0x000000001B6C0000-memory.dmp

Filesize
320KB

Download
memory/1176-11-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/1176-5-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/1176-0-0x00007FFDEDD73000-0x00007FFDEDD75000-memory.dmp

Filesize
8KB

Download
memory/1176-10-0x000000001B030000-0x000000001B03C000-memory.dmp

Filesize
48KB

Download
memory/1176-3-0x00000000024C0000-0x00000000024DC000-memory.dmp

Filesize
112KB

Download
memory/1176-1-0x0000000000210000-0x00000000003B2000-memory.dmp

Filesize
1.6MB

Download
memory/1176-2-0x00007FFDEDD70000-0x00007FFDEE831000-memory.dmp

Filesize
10.8MB

Download
memory/1176-16-0x000000001B8A0000-0x000000001B8AA000-memory.dmp

Filesize
40KB

Download
memory/1176-13-0x000000001B870000-0x000000001B87E000-memory.dmp

Filesize
56KB

Download
memory/1176-14-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/1176-17-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

Filesize
48KB

Download
memory/3876-291-0x000000001BD20000-0x000000001BE22000-memory.dmp

Filesize
1.0MB

Download
memory/5276-117-0x000001E423190000-0x000001E4231B2000-memory.dmp

Filesize
136KB

Download