dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec8c3742e4e01173d709df1353dc5d.exe
Size

885KB
MD5

d1ec8c3742e4e01173d709df1353dc5d
SHA1

30c91b20f0ced765718860cbb2a9f39ca19cf20b
SHA256

e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d
SHA512

1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65
SSDEEP

12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2124	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2124	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/660-1-0x0000000000340000-0x0000000000424000-memory.dmp	dcrat
behavioral18/files/0x00070000000240d2-19.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	d1ec8c3742e4e01173d709df1353dc5d.exe

Executes dropped EXE 14 IoCs

pid	Process
4060	services.exe
3268	services.exe
3688	services.exe
1972	services.exe
2128	services.exe
3116	services.exe
1436	services.exe
1360	services.exe
3272	services.exe
1508	services.exe
1184	services.exe
2888	services.exe
3152	services.exe
2200	services.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX888B.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX8915.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX889C.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX8904.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Microsoft\Temp\eddb19405b7ce1	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	d1ec8c3742e4e01173d709df1353dc5d.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCX889D.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\de-DE\RCX88AD.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX8916.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX8927.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\de-DE\wininit.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\de-DE\56085415360792	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\Panther\actionqueue\smss.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\Panther\actionqueue\69ddcba757bf72	d1ec8c3742e4e01173d709df1353dc5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	d1ec8c3742e4e01173d709df1353dc5d.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4348	schtasks.exe
4552	schtasks.exe
2292	schtasks.exe
1520	schtasks.exe
2424	schtasks.exe
2564	schtasks.exe
2280	schtasks.exe
1504	schtasks.exe
3840	schtasks.exe
4940	schtasks.exe
4548	schtasks.exe
2968	schtasks.exe
1448	schtasks.exe
4988	schtasks.exe
964	schtasks.exe
3984	schtasks.exe
1360	schtasks.exe
5084	schtasks.exe
692	schtasks.exe
4892	schtasks.exe
4060	schtasks.exe
4456	schtasks.exe
3164	schtasks.exe
908	schtasks.exe
4500	schtasks.exe
4680	schtasks.exe
4384	schtasks.exe
4728	schtasks.exe
2752	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
660	d1ec8c3742e4e01173d709df1353dc5d.exe
4060	services.exe
3268	services.exe
3688	services.exe
1972	services.exe
2128	services.exe
2128	services.exe
3116	services.exe
3116	services.exe
1436	services.exe
1436	services.exe
1360	services.exe
3272	services.exe
1508	services.exe
1184	services.exe
2888	services.exe
3152	services.exe
3152	services.exe
2200	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	d1ec8c3742e4e01173d709df1353dc5d.exe
Token: SeDebugPrivilege	4060	services.exe
Token: SeDebugPrivilege	3268	services.exe
Token: SeDebugPrivilege	3688	services.exe
Token: SeDebugPrivilege	1972	services.exe
Token: SeDebugPrivilege	2128	services.exe
Token: SeDebugPrivilege	3116	services.exe
Token: SeDebugPrivilege	1436	services.exe
Token: SeDebugPrivilege	1360	services.exe
Token: SeDebugPrivilege	3272	services.exe
Token: SeDebugPrivilege	1508	services.exe
Token: SeDebugPrivilege	1184	services.exe
Token: SeDebugPrivilege	2888	services.exe
Token: SeDebugPrivilege	3152	services.exe
Token: SeDebugPrivilege	2200	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 2744	660	d1ec8c3742e4e01173d709df1353dc5d.exe	120
PID 660 wrote to memory of 2744	660	d1ec8c3742e4e01173d709df1353dc5d.exe	120
PID 2744 wrote to memory of 3064	2744	cmd.exe	122
PID 2744 wrote to memory of 3064	2744	cmd.exe	122
PID 2744 wrote to memory of 4060	2744	cmd.exe	127
PID 2744 wrote to memory of 4060	2744	cmd.exe	127
PID 4060 wrote to memory of 2528	4060	services.exe	129
PID 4060 wrote to memory of 2528	4060	services.exe	129
PID 4060 wrote to memory of 2104	4060	services.exe	130
PID 4060 wrote to memory of 2104	4060	services.exe	130
PID 2528 wrote to memory of 3268	2528	WScript.exe	133
PID 2528 wrote to memory of 3268	2528	WScript.exe	133
PID 3268 wrote to memory of 2404	3268	services.exe	134
PID 3268 wrote to memory of 2404	3268	services.exe	134
PID 3268 wrote to memory of 1388	3268	services.exe	135
PID 3268 wrote to memory of 1388	3268	services.exe	135
PID 2404 wrote to memory of 3688	2404	WScript.exe	136
PID 2404 wrote to memory of 3688	2404	WScript.exe	136
PID 3688 wrote to memory of 2412	3688	services.exe	137
PID 3688 wrote to memory of 2412	3688	services.exe	137
PID 3688 wrote to memory of 1152	3688	services.exe	138
PID 3688 wrote to memory of 1152	3688	services.exe	138
PID 2412 wrote to memory of 1972	2412	WScript.exe	140
PID 2412 wrote to memory of 1972	2412	WScript.exe	140
PID 1972 wrote to memory of 3940	1972	services.exe	142
PID 1972 wrote to memory of 3940	1972	services.exe	142
PID 1972 wrote to memory of 3388	1972	services.exe	143
PID 1972 wrote to memory of 3388	1972	services.exe	143
PID 3940 wrote to memory of 2128	3940	WScript.exe	151
PID 3940 wrote to memory of 2128	3940	WScript.exe	151
PID 2128 wrote to memory of 2116	2128	services.exe	152
PID 2128 wrote to memory of 2116	2128	services.exe	152
PID 2128 wrote to memory of 5108	2128	services.exe	153
PID 2128 wrote to memory of 5108	2128	services.exe	153
PID 2116 wrote to memory of 3116	2116	WScript.exe	154
PID 2116 wrote to memory of 3116	2116	WScript.exe	154
PID 3116 wrote to memory of 3400	3116	services.exe	155
PID 3116 wrote to memory of 3400	3116	services.exe	155
PID 3116 wrote to memory of 448	3116	services.exe	156
PID 3116 wrote to memory of 448	3116	services.exe	156
PID 3400 wrote to memory of 1436	3400	WScript.exe	157
PID 3400 wrote to memory of 1436	3400	WScript.exe	157
PID 1436 wrote to memory of 3348	1436	services.exe	158
PID 1436 wrote to memory of 3348	1436	services.exe	158
PID 1436 wrote to memory of 3268	1436	services.exe	159
PID 1436 wrote to memory of 3268	1436	services.exe	159
PID 3348 wrote to memory of 1360	3348	WScript.exe	160
PID 3348 wrote to memory of 1360	3348	WScript.exe	160
PID 1360 wrote to memory of 3964	1360	services.exe	161
PID 1360 wrote to memory of 3964	1360	services.exe	161
PID 1360 wrote to memory of 1672	1360	services.exe	162
PID 1360 wrote to memory of 1672	1360	services.exe	162
PID 3964 wrote to memory of 3272	3964	WScript.exe	164
PID 3964 wrote to memory of 3272	3964	WScript.exe	164
PID 3272 wrote to memory of 4388	3272	services.exe	165
PID 3272 wrote to memory of 4388	3272	services.exe	165
PID 3272 wrote to memory of 740	3272	services.exe	166
PID 3272 wrote to memory of 740	3272	services.exe	166
PID 4388 wrote to memory of 1508	4388	WScript.exe	167
PID 4388 wrote to memory of 1508	4388	WScript.exe	167
PID 1508 wrote to memory of 2928	1508	services.exe	168
PID 1508 wrote to memory of 2928	1508	services.exe	168
PID 1508 wrote to memory of 4204	1508	services.exe	169
PID 1508 wrote to memory of 4204	1508	services.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7mEKGU2bzn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3064
- - C:\Recovery\WindowsRE\services.exe
    "C:\Recovery\WindowsRE\services.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc997bdd-b826-4187-bb3c-f5ca29b9ebaf.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b19196af-1f07-47a2-9a4a-9235aaf99679.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b20c6ff0-a5c2-4236-a268-1372da6c8ff1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b1c47c-de2f-47ad-bfef-5dbbcec0671c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9b2c04e-04c4-470c-b1e1-539bdba35123.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a863cb85-c9ad-4d6c-a6ef-8390fb931b5c.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cf80aad-acd4-44d0-9d53-b90b21ab151d.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceea659c-ae5d-4336-b539-d873c4ae1dbd.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f963629-0195-4692-9fa9-4f8df63c7436.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b6badf-3d01-40ad-adba-889919498533.vbs"
        22⤵
        
        PID:2928
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89918a6f-6d3b-4879-9e80-87c620a25d30.vbs"
        24⤵
        
        PID:4264
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ada4527-c543-4227-810e-586643ac749c.vbs"
        26⤵
        
        PID:776
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edade9da-5c7a-4815-8e62-397bb5623d92.vbs"
        28⤵
        
        PID:3940
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8160b57-6e88-4419-b86a-b29899e71324.vbs"
        30⤵
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3483fc6f-11e7-4e97-a0ad-26b14ee6d9be.vbs"
        30⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\906a1160-cdec-4620-8678-91c770fa8b0c.vbs"
        28⤵
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8fad66-63f0-4b6e-914e-991efd303f96.vbs"
        26⤵
        
        PID:3364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e28deabb-a611-427b-8e20-ead8659f0068.vbs"
        24⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af224581-e13b-4781-b68c-e3a114975f51.vbs"
        22⤵
        
        PID:4204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc8f5e20-ee8d-4d7b-ad9a-24ed376c769b.vbs"
        20⤵
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc02a47d-48b6-409f-a773-741377eb7229.vbs"
        18⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9b227bc-d1e9-43cc-b4a6-bd995323deaf.vbs"
        16⤵
        
        PID:3268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba85f88-c110-4c9c-8970-b94a7ffd07ad.vbs"
        14⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e41d40-b02d-4921-9c7b-d618304e5b4d.vbs"
        12⤵
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9eccdc8-c056-474c-a832-616ab822775d.vbs"
        10⤵
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0418f4b4-fa5b-4b2a-a809-6fb785a13e93.vbs"
        8⤵
        
        PID:1152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b157db96-703d-494f-8787-eb0ceda95d81.vbs"
        6⤵
        
        PID:1388
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5646046-7e6a-464d-a346-ba6eebd3ce97.vbs"
      4⤵
      PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\28b6badf-3d01-40ad-adba-889919498533.vbs

Filesize
710B

MD5
17fd743386c5b1c58d77af016fbda9a0

SHA1
a56979efe5261240eddbed0403df63950b6df6ab

SHA256
0330447202c74f7a562d5c0ca7f78d626eb708a44f1eeabf16fc6241a62b0520

SHA512
b7ca03b5713322c7a70ebc7ccabb6c00c1f1582bf753ee164729603115997b7ccf34f69a31f048aea5fcba9d9942ecc586888b909c4ebff9239236db5bfc4cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ada4527-c543-4227-810e-586643ac749c.vbs

Filesize
710B

MD5
173fde3fb6e164d31aa005be08b5d39e

SHA1
52f1ddde423dc321cc8508b31a97aee446609163

SHA256
dee2d0e5026d65977386eed870039b0890d4d8808729a03aecadd3e89aeb3151

SHA512
c354152af3c9f86e3031358dad2b64d91a8372998071ef9328ac7fb06b09cbb9165f3b99c0ec63d9e9ad68f5e1b818e5aa78149522c624e25dfe58245ab54e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\42b1c47c-de2f-47ad-bfef-5dbbcec0671c.vbs

Filesize
710B

MD5
3b22c811c0395b744910cecad1dc9d8b

SHA1
fb0c92bbce07b39a85e2910757c98f6966f59bdd

SHA256
be2aedb89cebd793691e8755254c0d778dfad8890d345f45117839eb5395022d

SHA512
5941cc4f8005ce503c10cd13afac83311b501bef14e42efddbdf59cf5a6d69f4ad082c9eee561841c07cba37820351fb2f509837382dc298920aa2f3017ac813

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cf80aad-acd4-44d0-9d53-b90b21ab151d.vbs

Filesize
710B

MD5
040ac485f67cff148977f1e53199f74a

SHA1
a90bfa0dd2f5d1fc86b3099da2100f79af3bb430

SHA256
9c78b1923cdb7a7dfd970cad429ff443c1a92f73f4e85af9798d7ef8ac633769

SHA512
c2b9df040d19cae0e5d4559d4aeb085e6784e0b625b96f42bd15132d63347989109d077df2cab8dfd88ba8084b2cf384a28e1f0f9f68d89ea8ff201dd07b1152

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f963629-0195-4692-9fa9-4f8df63c7436.vbs

Filesize
710B

MD5
a0a5bcc2faf26c382da09ee1fc1ea343

SHA1
94a6d5c22438f7b4c1cce3b7c7a8ea3c02f6b8a5

SHA256
74a4c1c8f90a26eaf08fe5db7d7ecf481c450f14ec68c4a5e0b4cd9780abdad0

SHA512
de276d899cc4a8ff5203bf482a57035b8f4af918bd5f25c7c6670e0b00584920209080360b02c9993dfdc5b40dbb278167688610bbe43e741d025c6e7c5eade7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mEKGU2bzn.bat

Filesize
199B

MD5
87adef94932c17b9b1261c3d8520f47f

SHA1
7a6066f295f15d144f3e1c6883b5905911b4d4ce

SHA256
739d1b3a29eb023e935a504b3849672c7e021f5c0a33466ce9fdf64df9e2bf8f

SHA512
6f2cf8ce027e9710b91136ace97e81eebc1a7f4e77dfc55399c9f72f053fb6c0b3dd2d45e36943af7505fc4a17d8ecd0b3835193265e1282c177da2dd31850e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\89918a6f-6d3b-4879-9e80-87c620a25d30.vbs

Filesize
710B

MD5
c0333687b23ca2cac004c1908e9d595e

SHA1
a3707a3bf564246e61e6dafb11c20c699682cf48

SHA256
d7d4284f5eeeb6df75d40cf9bc92580b00cda2441821108cf8009ea81551b918

SHA512
9f1ff6dbf1974995a476fc2e24726901bfc1187c86a90c1944ffa32b0095e55b777ab906061427f0b9eff5e62241903527f23f189b28780000bbb35c5eaeeeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a863cb85-c9ad-4d6c-a6ef-8390fb931b5c.vbs

Filesize
710B

MD5
6577df3f2c67036b38e5866573f92ab9

SHA1
05543c860aff3d7e81f40f36a0a417b58edd1b80

SHA256
bf2eb98a87908c31b9396e0897dd886a754661df47b64e7fdbd62e1d899637ee

SHA512
74baaf81c55bd4a36f3798196313cefe53bfe3e1b0b8e5cdf27b6bb9f721bc3c3a7f482f5bde4055ca0f9cae6ad7c97d30a31e86a89ae00a3f3fa36e72f2fd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b19196af-1f07-47a2-9a4a-9235aaf99679.vbs

Filesize
710B

MD5
87785fa3e81466f3567e8b75de04093d

SHA1
04df37d02bac57fc3ad8c806a371952cd10a0684

SHA256
4141ddf1d9f101e43d2f542bdcaf70ae2d241397a45124fbe80317aba58c262a

SHA512
e79c65c1922e2174ef9dc83d8a562b796ee61dae5d124b239af1724251bcaae6ffd9550ae6f3cdbf239848fbf0dbd1ccfdae53cee8b7a99555d1b79e75b3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b20c6ff0-a5c2-4236-a268-1372da6c8ff1.vbs

Filesize
710B

MD5
227b022c10dcf3a740ce830e3752a055

SHA1
268448d5d8c4eb45fcaa06096e3c5bb42455bef2

SHA256
e4928b364fff0a2287aa4b7fed3c4a3dbca2088a0752ff246526cd2259796602

SHA512
e3f42c433b398be4e632ce3e5adc0a5d54681e5128098c8eaa77b08b3eae63f3a46e39fc547b930a2dc2af845700a0a68190b670b27744188ba8ea88f3590aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5646046-7e6a-464d-a346-ba6eebd3ce97.vbs

Filesize
486B

MD5
c11cae2bd28ce23144f883eb24760710

SHA1
9edbd75af7c85918cb9ae670e2aa14c2588cea47

SHA256
5792bacfa58a1eb63a3a9ba56453d8d02f36fe3c7881e0fb3f05885df0299867

SHA512
12f42bf7e2dc8180ff2b032fc075d227a9e1dd66e3773c65d81222f42c936ada6378a174bfc2797cafc2bf238fccda1657671c9d8599877d79d17a6800eb4a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8160b57-6e88-4419-b86a-b29899e71324.vbs

Filesize
710B

MD5
78e4164db7b7be7d60e9d51ff5520bf6

SHA1
8a88754bc49b94f67d1c82efbb502783e6f0be3e

SHA256
f370356421712461624b4b2a52a0c0e6c1743e08920b40db884a3444950c1abc

SHA512
af79f31666274dd3eac85c08867c73d824c2f0ff8cbe95545301edc352eba44710533b195839b8609a8bcec13ca7eb4d7f7c3789a9fa3a653a2cfbc6e30dde85

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc997bdd-b826-4187-bb3c-f5ca29b9ebaf.vbs

Filesize
710B

MD5
65ea80240a566cbbb7729625e14cc4ba

SHA1
b3c11318efecdb70fb3b014e8be808d0e52c2c4d

SHA256
664f0f0243aac52ec2526838526fd6a05ee94b8febf6ff14615bd0446edc7206

SHA512
b629aae477d2f1b82b28c8db155b35a2506b59665eca32688c3099902e89e42d438aa966350dbf099763e570a78b8c942dc2105a3b2f705f46e5f0efc248018e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceea659c-ae5d-4336-b539-d873c4ae1dbd.vbs

Filesize
710B

MD5
00e31cefa1516f157a00c3fd9397b984

SHA1
1d0f493d770c6c05708364fb9d23d62884ff1b87

SHA256
1b1f177caba71612dbed80a560375b3fbcc4df8947e61cd6503c569730be543b

SHA512
4ed18fbef5744c0abb87f2b90bd75a790e3efa3433141f0b07d649db6b90c6ec36b5945f9ef503db8a988b97d9ed04f9d3fc66ed27e026857112c9d53c378f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9b2c04e-04c4-470c-b1e1-539bdba35123.vbs

Filesize
710B

MD5
5c680036651568b0d43e4c3f0a305433

SHA1
6718edacf2e99a99990b57a8ec13d569cc31b738

SHA256
343e077a9566d00b8af2c40dd4e148294024f22a6104f61c9f932425189a53e0

SHA512
e21e5d93b1b86297a068d662433f4f688d1bc2e7aee43451cbd90a45c339e6d4027e6bbf42904956072c13262eab1ec9f672982271d334e0b711b8c579e83152

Download Submit
C:\Users\Admin\AppData\Local\Temp\edade9da-5c7a-4815-8e62-397bb5623d92.vbs

Filesize
710B

MD5
3876d32353782345bf831f23e33e4beb

SHA1
b88920d30a5b4d13a17a38f819806dc5f209a8b9

SHA256
1965ef495329bd61dffd1a377df49186678ae2bbfb5b72454ad557f0767f2d81

SHA512
65bbd14a84210da024ff1770b2a4122be6be28cc18c9567d6ce968904ff6a724db2aecb69356d6f71a94a0f4026aa8e193184218c0f10a0028ba4477a5055338

Download Submit
C:\d9c22b4eaa3c0b9c12c7\explorer.exe

Filesize
885KB

MD5
d1ec8c3742e4e01173d709df1353dc5d

SHA1
30c91b20f0ced765718860cbb2a9f39ca19cf20b

SHA256
e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d

SHA512
1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65

Download Submit
memory/660-7-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/660-10-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/660-9-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/660-8-0x0000000002590000-0x000000000259E000-memory.dmp

Filesize
56KB

Download
memory/660-0-0x00007FFA50F33000-0x00007FFA50F35000-memory.dmp

Filesize
8KB

Download
memory/660-6-0x0000000002560000-0x0000000002576000-memory.dmp

Filesize
88KB

Download
memory/660-4-0x000000001AFC0000-0x000000001B010000-memory.dmp

Filesize
320KB

Download
memory/660-5-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/660-3-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/660-2-0x00007FFA50F30000-0x00007FFA519F1000-memory.dmp

Filesize
10.8MB

Download
memory/660-152-0x00007FFA50F30000-0x00007FFA519F1000-memory.dmp

Filesize
10.8MB

Download
memory/660-1-0x0000000000340000-0x0000000000424000-memory.dmp

Filesize
912KB

Download
memory/1184-278-0x000000001CF90000-0x000000001D092000-memory.dmp

Filesize
1.0MB

Download