dcrat | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77ff4e4dd651e4c89e2297a2a321987.exe
Size

885KB
MD5

a77ff4e4dd651e4c89e2297a2a321987
SHA1

a9547ffaf19a4e24b18bfd064daa8c0286dcfde9
SHA256

6edd1467581b5e8050205a8da77435b71115ab9b69e76fd46c1dc8abd63664dc
SHA512

2df2d8ef093dc2a53ca2b23544fae535dea9884e296fca639d5168606369742c62d73a834b96696711800023adc0b2204f05e235641ce9edaabbf9985f6732e7
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5540	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5624	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1408	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/5700-1-0x0000000000350000-0x0000000000434000-memory.dmp	dcrat
behavioral14/files/0x000700000002428c-19.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	a77ff4e4dd651e4c89e2297a2a321987.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
4692	RuntimeBroker.exe
4656	RuntimeBroker.exe
1332	RuntimeBroker.exe
2276	RuntimeBroker.exe
2628	RuntimeBroker.exe
4492	RuntimeBroker.exe
5672	RuntimeBroker.exe
3184	RuntimeBroker.exe
5024	RuntimeBroker.exe
5100	RuntimeBroker.exe
5280	RuntimeBroker.exe
2056	RuntimeBroker.exe
1368	RuntimeBroker.exe
2772	RuntimeBroker.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX688F.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX68E6.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX68F6.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX6909.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\56085415360792	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ea9f0e6c9e2dcd	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Microsoft.NET\explorer.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX68A0.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX6919.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe	a77ff4e4dd651e4c89e2297a2a321987.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	a77ff4e4dd651e4c89e2297a2a321987.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5680	schtasks.exe
5540	schtasks.exe
2656	schtasks.exe
4932	schtasks.exe
2288	schtasks.exe
4920	schtasks.exe
5060	schtasks.exe
392	schtasks.exe
4148	schtasks.exe
4884	schtasks.exe
5004	schtasks.exe
4984	schtasks.exe
4428	schtasks.exe
5300	schtasks.exe
2352	schtasks.exe
4876	schtasks.exe
4836	schtasks.exe
4952	schtasks.exe
4944	schtasks.exe
5624	schtasks.exe
512	schtasks.exe
2784	schtasks.exe
676	schtasks.exe
2356	schtasks.exe
5116	schtasks.exe
5072	schtasks.exe
5088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
5700	a77ff4e4dd651e4c89e2297a2a321987.exe
5700	a77ff4e4dd651e4c89e2297a2a321987.exe
5700	a77ff4e4dd651e4c89e2297a2a321987.exe
4692	RuntimeBroker.exe
4656	RuntimeBroker.exe
1332	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2628	RuntimeBroker.exe
4492	RuntimeBroker.exe
4492	RuntimeBroker.exe
5672	RuntimeBroker.exe
3184	RuntimeBroker.exe
5024	RuntimeBroker.exe
5100	RuntimeBroker.exe
5280	RuntimeBroker.exe
2056	RuntimeBroker.exe
1368	RuntimeBroker.exe
2772	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5700	a77ff4e4dd651e4c89e2297a2a321987.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	4656	RuntimeBroker.exe
Token: SeDebugPrivilege	1332	RuntimeBroker.exe
Token: SeDebugPrivilege	2276	RuntimeBroker.exe
Token: SeDebugPrivilege	2628	RuntimeBroker.exe
Token: SeDebugPrivilege	4492	RuntimeBroker.exe
Token: SeDebugPrivilege	5672	RuntimeBroker.exe
Token: SeDebugPrivilege	3184	RuntimeBroker.exe
Token: SeDebugPrivilege	5024	RuntimeBroker.exe
Token: SeDebugPrivilege	5100	RuntimeBroker.exe
Token: SeDebugPrivilege	5280	RuntimeBroker.exe
Token: SeDebugPrivilege	2056	RuntimeBroker.exe
Token: SeDebugPrivilege	1368	RuntimeBroker.exe
Token: SeDebugPrivilege	2772	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5700 wrote to memory of 2552	5700	a77ff4e4dd651e4c89e2297a2a321987.exe	116
PID 5700 wrote to memory of 2552	5700	a77ff4e4dd651e4c89e2297a2a321987.exe	116
PID 2552 wrote to memory of 5344	2552	cmd.exe	118
PID 2552 wrote to memory of 5344	2552	cmd.exe	118
PID 2552 wrote to memory of 4692	2552	cmd.exe	122
PID 2552 wrote to memory of 4692	2552	cmd.exe	122
PID 4692 wrote to memory of 4964	4692	RuntimeBroker.exe	124
PID 4692 wrote to memory of 4964	4692	RuntimeBroker.exe	124
PID 4692 wrote to memory of 4304	4692	RuntimeBroker.exe	125
PID 4692 wrote to memory of 4304	4692	RuntimeBroker.exe	125
PID 4964 wrote to memory of 4656	4964	WScript.exe	128
PID 4964 wrote to memory of 4656	4964	WScript.exe	128
PID 4656 wrote to memory of 2380	4656	RuntimeBroker.exe	129
PID 4656 wrote to memory of 2380	4656	RuntimeBroker.exe	129
PID 4656 wrote to memory of 4648	4656	RuntimeBroker.exe	130
PID 4656 wrote to memory of 4648	4656	RuntimeBroker.exe	130
PID 2380 wrote to memory of 1332	2380	WScript.exe	132
PID 2380 wrote to memory of 1332	2380	WScript.exe	132
PID 1332 wrote to memory of 4500	1332	RuntimeBroker.exe	134
PID 1332 wrote to memory of 4500	1332	RuntimeBroker.exe	134
PID 1332 wrote to memory of 5796	1332	RuntimeBroker.exe	135
PID 1332 wrote to memory of 5796	1332	RuntimeBroker.exe	135
PID 4500 wrote to memory of 2276	4500	WScript.exe	142
PID 4500 wrote to memory of 2276	4500	WScript.exe	142
PID 2276 wrote to memory of 2536	2276	RuntimeBroker.exe	143
PID 2276 wrote to memory of 2536	2276	RuntimeBroker.exe	143
PID 2276 wrote to memory of 3736	2276	RuntimeBroker.exe	144
PID 2276 wrote to memory of 3736	2276	RuntimeBroker.exe	144
PID 2536 wrote to memory of 2628	2536	WScript.exe	145
PID 2536 wrote to memory of 2628	2536	WScript.exe	145
PID 2628 wrote to memory of 5460	2628	RuntimeBroker.exe	146
PID 2628 wrote to memory of 5460	2628	RuntimeBroker.exe	146
PID 2628 wrote to memory of 1180	2628	RuntimeBroker.exe	147
PID 2628 wrote to memory of 1180	2628	RuntimeBroker.exe	147
PID 5460 wrote to memory of 4492	5460	WScript.exe	148
PID 5460 wrote to memory of 4492	5460	WScript.exe	148
PID 4492 wrote to memory of 5764	4492	RuntimeBroker.exe	149
PID 4492 wrote to memory of 5764	4492	RuntimeBroker.exe	149
PID 4492 wrote to memory of 1084	4492	RuntimeBroker.exe	150
PID 4492 wrote to memory of 1084	4492	RuntimeBroker.exe	150
PID 5764 wrote to memory of 5672	5764	WScript.exe	151
PID 5764 wrote to memory of 5672	5764	WScript.exe	151
PID 5672 wrote to memory of 5772	5672	RuntimeBroker.exe	152
PID 5672 wrote to memory of 5772	5672	RuntimeBroker.exe	152
PID 5672 wrote to memory of 5276	5672	RuntimeBroker.exe	153
PID 5672 wrote to memory of 5276	5672	RuntimeBroker.exe	153
PID 5772 wrote to memory of 3184	5772	WScript.exe	154
PID 5772 wrote to memory of 3184	5772	WScript.exe	154
PID 3184 wrote to memory of 5200	3184	RuntimeBroker.exe	156
PID 3184 wrote to memory of 5200	3184	RuntimeBroker.exe	156
PID 3184 wrote to memory of 5920	3184	RuntimeBroker.exe	157
PID 3184 wrote to memory of 5920	3184	RuntimeBroker.exe	157
PID 5200 wrote to memory of 5024	5200	WScript.exe	158
PID 5200 wrote to memory of 5024	5200	WScript.exe	158
PID 5024 wrote to memory of 5012	5024	RuntimeBroker.exe	159
PID 5024 wrote to memory of 5012	5024	RuntimeBroker.exe	159
PID 5024 wrote to memory of 5300	5024	RuntimeBroker.exe	160
PID 5024 wrote to memory of 5300	5024	RuntimeBroker.exe	160
PID 5012 wrote to memory of 5100	5012	WScript.exe	161
PID 5012 wrote to memory of 5100	5012	WScript.exe	161
PID 5100 wrote to memory of 3528	5100	RuntimeBroker.exe	162
PID 5100 wrote to memory of 3528	5100	RuntimeBroker.exe	162
PID 5100 wrote to memory of 3212	5100	RuntimeBroker.exe	163
PID 5100 wrote to memory of 3212	5100	RuntimeBroker.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a77ff4e4dd651e4c89e2297a2a321987.exe
"C:\Users\Admin\AppData\Local\Temp\a77ff4e4dd651e4c89e2297a2a321987.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHJCziM9KR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5344
- - C:\f170d29a37c9c9775251\RuntimeBroker.exe
    "C:\f170d29a37c9c9775251\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5035c830-3165-4b6b-862e-e93f34b953b7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca0a86a-c9e0-44f0-86b5-d8e072c75a44.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57acc678-d63b-4bb0-b535-77b4641eff54.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1e7584-eb8f-4643-89b2-b7ff1518c9a6.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cd8dd6-9c77-4d3e-afd6-155c6feeffde.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5460
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46ed4e8a-8b66-4fb6-baf6-6d4f97722a2b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\998839af-8a1d-4091-9f05-aec76001a1d6.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5772
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07bd1d0b-b158-47e0-a07d-291b35a03450.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffee01d1-236a-48d5-b92c-56da16d802c6.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6018964a-3080-415f-a6dd-b83e58d79a0e.vbs"
        22⤵
        
        PID:3528
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30c5ae33-74b8-42c6-9d65-65dccfbd39fa.vbs"
        24⤵
        
        PID:2828
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75396288-91b2-4e76-84d6-e77ca0a666e8.vbs"
        26⤵
        
        PID:1464
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70922d4e-4571-409c-a688-3e556dff5390.vbs"
        28⤵
        
        PID:2760
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        
        C:\f170d29a37c9c9775251\RuntimeBroker.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34387cca-62c8-4cb4-8dc8-cf49c42322c6.vbs"
        30⤵
        
        PID:4296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87008464-532c-46a5-a167-6e4eefa65b43.vbs"
        30⤵
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e99fc5-5a0f-4080-b061-2b692da7e1c9.vbs"
        28⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae9153a-7e8d-4de9-a25a-0ee811ad4674.vbs"
        26⤵
        
        PID:3780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f631c7d-a3ad-47a1-8f3b-456ac7818e63.vbs"
        24⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79653a75-2056-4566-9b6f-7d15e0049508.vbs"
        22⤵
        
        PID:3212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0050fa-25e9-4c5c-9be4-ed66f9caae04.vbs"
        20⤵
        
        PID:5300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2dd02dd-1b38-4615-afbc-0680e2dfb872.vbs"
        18⤵
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b14e74e-2061-43bd-9031-4d493615484a.vbs"
        16⤵
        
        PID:5276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfaa0303-5849-40df-8dc5-7f2ecca05a08.vbs"
        14⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\661c3ace-ba09-4a17-8a35-0bc0fed324de.vbs"
        12⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9661405-bc82-467d-8689-dd45820155b6.vbs"
        10⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd6739f6-5469-458d-9e3b-931eb85ff5af.vbs"
        8⤵
        
        PID:5796
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c43074d-e592-4074-8d35-eec99430c759.vbs"
        6⤵
        
        PID:4648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da20449-9578-478e-b9f1-27b1929f1c8d.vbs"
      4⤵
      PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe

Filesize
885KB

MD5
a77ff4e4dd651e4c89e2297a2a321987

SHA1
a9547ffaf19a4e24b18bfd064daa8c0286dcfde9

SHA256
6edd1467581b5e8050205a8da77435b71115ab9b69e76fd46c1dc8abd63664dc

SHA512
2df2d8ef093dc2a53ca2b23544fae535dea9884e296fca639d5168606369742c62d73a834b96696711800023adc0b2204f05e235641ce9edaabbf9985f6732e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\07bd1d0b-b158-47e0-a07d-291b35a03450.vbs

Filesize
717B

MD5
9436f0e3f86fa29298fc7bb805691243

SHA1
fbd6f90120b4a16a7629dc95008e6c3ca1474d9f

SHA256
2987fa6c1bd9d745778b3873b2db6de05b8a87d070588c481edec912be804f11

SHA512
690bb88c6311be8d6b049c712ebfe909844c54501ae0cb6ed76ca28c8e23c2e485e0e5da276bcdf91fcb21328be1912654664914104999a5007804c330e89f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\0da20449-9578-478e-b9f1-27b1929f1c8d.vbs

Filesize
493B

MD5
cd97ea9e99900c3588a89cf56f677de6

SHA1
128577be106f5aa30808f2cda28541dea99d935b

SHA256
032da6c38f3a06678787c9140f8ceded685b3fc56a5f538928643eeb690445a0

SHA512
4197c23214f319581fa8523ca9e750c973d7ad874dc2fb9c01681b297a512cc0183db539ad33018db178c958502df2b94740e892ea4d6f420e0f8ca0fbb1d37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\20cd8dd6-9c77-4d3e-afd6-155c6feeffde.vbs

Filesize
717B

MD5
20d0fa8644f65a93fb3295a6eb4481d5

SHA1
f59384330c3b20bd9e2c75726970c3b6e74b032f

SHA256
69acbd7a529f3d16f86b848ff29b763c3d3a43c454a745d8c5e28a75999ad79c

SHA512
ff00c20c04455f22c8a98a86e916dfea18a5333deba54ef30698e2d611ed47d421bbda58b7cbcf81b97c500805ba82f5d248109acfed8be9bbe624448b9e0917

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f1e7584-eb8f-4643-89b2-b7ff1518c9a6.vbs

Filesize
717B

MD5
4f9bbb2da2b339a1240ff1ec1c901d1d

SHA1
76dfdd2a5b69042490c9fcc8ded3d7b1cac2d941

SHA256
54f033332865015e1d802a6bff510fc89ecf8e32cf6158eecafa36944af00700

SHA512
f8a7fea854803454f7c34a41bd7710703d5ca0165a6ff37e05260a4b4c993a670bd5468fb51cea318f4d0a422fce244cc1d5f87e0730aec43da7dd1ff95434db

Download Submit
C:\Users\Admin\AppData\Local\Temp\30c5ae33-74b8-42c6-9d65-65dccfbd39fa.vbs

Filesize
717B

MD5
cfa0f726d2ce74e9005b40ea3b8dfaa5

SHA1
70bdccc242b08ad8b0052e32dbd792141100efa1

SHA256
193053f73b1172b8b8c903e5da20a9087898d821bfe5da42f46f941885e32358

SHA512
b211965f7faa3ab7abedf72b14e2ba151b818d8cbd866c9e262214f0355424fb6e8ca681435e3fdb6306991be1fd3d64419f8769dbf36dbd331f0d708ed7f477

Download Submit
C:\Users\Admin\AppData\Local\Temp\34387cca-62c8-4cb4-8dc8-cf49c42322c6.vbs

Filesize
717B

MD5
382ed7fa4b2b3c4c38c985faf85336f7

SHA1
36f0edce0d8a41cdae93d1fc774c212591d3c05a

SHA256
6292f0ea47447ef57f468d6353876bb81052f3a70e5b89accf01c73d2026216c

SHA512
d5f98a78aa197d3753fff2839dca0875bc11ea4ff6713e601384e4d98cac52624f627eb7bc3eed317a9da52d7a0549a2749ac4659a788f24d3aeb4a3cb41fe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\46ed4e8a-8b66-4fb6-baf6-6d4f97722a2b.vbs

Filesize
717B

MD5
aa91136698b38a0b5fdbc7a6bd4d7c04

SHA1
27df0b0a2b679cf46eee629b050feb627858955d

SHA256
afb6da65c963873596a0c8cfbbde59480333140082d70143ce2f066ddfb8f1a5

SHA512
9f4d408d1308ab50da92f484186bb34f78cee9e884c66fe11bed98db90dd36fb86ebda8aab6d6f1c0b9a863f86dbe7882557709bb39185ec5c1d4a102533e63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5035c830-3165-4b6b-862e-e93f34b953b7.vbs

Filesize
717B

MD5
e8d9ce276d7ce03f0fc3c3e463cf13d6

SHA1
33a29c8f7f6e534ecfeee6a485e5d5f46ed972c2

SHA256
6511c3002a4224616af36cbcaed315c0253a1867205531a078919ce663a09681

SHA512
6e2a19ab7bdf6fb968bdeeddcd34810d7aad8faaa9e51a467eac94f0251c857718380198cc54d99f05a9f0be020c0089a08a4a030e71caaf9cd404e06f9497fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\57acc678-d63b-4bb0-b535-77b4641eff54.vbs

Filesize
717B

MD5
e8a4fb929e3899f364b032f01ea715bb

SHA1
97e53351a991e9f3321261e38e032550a6dc2518

SHA256
67d52eec0b361fa69ca4ee8a0e83950ea1c9e362e850aecff976372c3a19a022

SHA512
29d68dbba7dd6ca61cff72f689cf83788c4d5af769b80c3f7305bb18ad0cd27bf202172a15d29b863269336126da2c14fe9bd0b7f16840fa95d48b9ae625c4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6018964a-3080-415f-a6dd-b83e58d79a0e.vbs

Filesize
717B

MD5
c0fc65ca3fa2e5ac115766e41b0f9f50

SHA1
784fb6f9c5a18fc8d56319b9a7b012663984685f

SHA256
1adc369e59bd21633907bf698671911298ed7e1e46200a2acd30d6b0e01ea10f

SHA512
dc4c8be8c1687197ab79d6d72cb313d3184e9c9a9fd988870607b9b9cb87d36a55c7b24682d74ea4d63f25b3391e609f35ffb8fb3a6506e25bd86d7ba50e70c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\70922d4e-4571-409c-a688-3e556dff5390.vbs

Filesize
717B

MD5
1f567e82a9fdeca90e0939f81f916b48

SHA1
b40cbd82ccd3dbe4f97a35091265049a83be0a31

SHA256
0e5cd31ef4fd57addd38dcf7f687b0fcb23b5b725aea5fa504e482a744c20171

SHA512
a56393daa63ef86508a60dfb08a8be4d72d4390fee5bec5c75a864ea316b872ea6d1ddc8daabac820321b14c8c66f71c6fe78146415c7e60ea46e5000b404c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\75396288-91b2-4e76-84d6-e77ca0a666e8.vbs

Filesize
717B

MD5
c60a8f6da6209977dbf1a7f66a9cbe57

SHA1
81063d3bc86f360a2d6e1c20a4ebc7cff1ee61e9

SHA256
3895e08b4596abcee62c0bfc46476531e2b2f9759e514517bf179f0527087b05

SHA512
dacdcaeddc785c4107ba77038f2d8276d1fbd4a46bbeec855f9ce830bde35d65eed71d3a3a754312406a68fa389ef00d7ab6d69ea183b97399d233f44ddaaec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\998839af-8a1d-4091-9f05-aec76001a1d6.vbs

Filesize
717B

MD5
18e6bf7f77763950465779d792212e39

SHA1
3df0536ce271e720202b09ec37045db2ca82c9bb

SHA256
ac38a4d4db274ef0705d169cd7abeb7a1fb157f35376cf554ba82a414c06f384

SHA512
de96a571e6759532f7e7a4841da9c867c4522e195c88a0c7b2c95a164748202b99ccb35413954b9ca4d77862ec26864d971a40ff64971f8530ba1fed54d2f2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cca0a86a-c9e0-44f0-86b5-d8e072c75a44.vbs

Filesize
717B

MD5
ac31f33e6da4edf9f9b08261b2117e59

SHA1
1799f5f348eb0d3b6b4b1edc26cbfa2027876561

SHA256
23d69d91da078c9c346daed8fcea5f807d711f61919dd5b9baa13586ffe050a4

SHA512
69cbc552d3b31b63dab89be31435d8ace82a91d236050d176b2acae8a64cb9927ea77cc24b05e11b5dbcf704ef859ee0a28705ff5ab4d140a3a1e1b6b14b9a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffee01d1-236a-48d5-b92c-56da16d802c6.vbs

Filesize
717B

MD5
6f0b94c3bce86137a5de939c3fc65704

SHA1
b5e1514bad6357af999022ef3af02f5ecca3ec2a

SHA256
0c3dbf5135fd5b98e969a7b2bdfd8d0bc7b31f08180edc2625dc1ff8828db53f

SHA512
08f2dd4e4fceb7f52700bcd92129f36b104d186592f2e473952baeefc6f8249c8806a1aa45e6de01a36b17c52453a2eebbcd02183bc677a002eeb8c17edd9175

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHJCziM9KR.bat

Filesize
206B

MD5
db3082768a022bd4f25c142d9def78f3

SHA1
aa7fa89903dbde600c516d1dfa4387d4758d2225

SHA256
5c9ca778a0df2ff2fc68ed6eb7a161dedaa24c6b54d76f52a2011ec090358cd6

SHA512
8c6a67f0c4c3548b2ef8d3099e19d70ce525dd18fe53bdd07e73a0ef2495e1dbf58a78a7e0c203bb41e6b958bac147223a35462c4bb4c3c57040cd66d83ce977

Download Submit
memory/5700-9-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

Filesize
32KB

Download
memory/5700-4-0x000000001B600000-0x000000001B650000-memory.dmp

Filesize
320KB

Download
memory/5700-5-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/5700-0-0x00007FFC49373000-0x00007FFC49375000-memory.dmp

Filesize
8KB

Download
memory/5700-10-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/5700-3-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/5700-7-0x000000001AF20000-0x000000001AF2A000-memory.dmp

Filesize
40KB

Download
memory/5700-139-0x00007FFC49370000-0x00007FFC49E31000-memory.dmp

Filesize
10.8MB

Download
memory/5700-2-0x00007FFC49370000-0x00007FFC49E31000-memory.dmp

Filesize
10.8MB

Download
memory/5700-8-0x000000001AF30000-0x000000001AF3E000-memory.dmp

Filesize
56KB

Download
memory/5700-6-0x000000001AF00000-0x000000001AF16000-memory.dmp

Filesize
88KB

Download
memory/5700-1-0x0000000000350000-0x0000000000434000-memory.dmp

Filesize
912KB

Download