dcrat | f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Size

885KB
MD5

63fa59f7c83ec1df2eac00cc85696830
SHA1

799e9ea365e4ad95c05d21e275e72438882ad776
SHA256

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6
SHA512

0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2888	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000ED0000-0x0000000000FB4000-memory.dmp	dcrat
behavioral1/files/0x000500000001a469-18.dat	dcrat
behavioral1/files/0x000900000001a49e-104.dat	dcrat
behavioral1/memory/2440-154-0x0000000000210000-0x00000000002F4000-memory.dmp	dcrat
behavioral1/memory/2228-165-0x0000000000990000-0x0000000000A74000-memory.dmp	dcrat
behavioral1/memory/1556-188-0x0000000000010000-0x00000000000F4000-memory.dmp	dcrat
behavioral1/memory/1724-200-0x0000000000A60000-0x0000000000B44000-memory.dmp	dcrat
behavioral1/memory/2308-212-0x00000000011D0000-0x00000000012B4000-memory.dmp	dcrat
behavioral1/memory/1304-224-0x00000000000B0000-0x0000000000194000-memory.dmp	dcrat
behavioral1/memory/1324-236-0x0000000000080000-0x0000000000164000-memory.dmp	dcrat
behavioral1/memory/3060-248-0x0000000000CC0000-0x0000000000DA4000-memory.dmp	dcrat
behavioral1/memory/2300-260-0x00000000003E0000-0x00000000004C4000-memory.dmp	dcrat
behavioral1/memory/2900-272-0x0000000000890000-0x0000000000974000-memory.dmp	dcrat
behavioral1/memory/2844-284-0x0000000000AC0000-0x0000000000BA4000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2440	csrss.exe
2228	csrss.exe
2704	csrss.exe
1556	csrss.exe
1724	csrss.exe
2308	csrss.exe
1304	csrss.exe
1324	csrss.exe
3060	csrss.exe
2300	csrss.exe
2900	csrss.exe
2844	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXF97B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\101b941d020240	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXF941.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF955.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXF942.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF943.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF9B0.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF954.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXF97A.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF99F.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\1610b97d3ab4a7	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\6ccacd8608530f	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\lsm.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\f3b6ecef712a24	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF965.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\database\RCXF931.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\security\database\OSPPSVC.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\security\database\OSPPSVC.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\security\database\1610b97d3ab4a7	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\security\database\RCXF930.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2224	schtasks.exe
1656	schtasks.exe
2908	schtasks.exe
2164	schtasks.exe
2148	schtasks.exe
1192	schtasks.exe
2400	schtasks.exe
2884	schtasks.exe
2968	schtasks.exe
3012	schtasks.exe
1524	schtasks.exe
1088	schtasks.exe
2704	schtasks.exe
940	schtasks.exe
3036	schtasks.exe
1040	schtasks.exe
2044	schtasks.exe
2920	schtasks.exe
704	schtasks.exe
2564	schtasks.exe
3068	schtasks.exe
2344	schtasks.exe
2296	schtasks.exe
2724	schtasks.exe
2000	schtasks.exe
1692	schtasks.exe
2744	schtasks.exe
2760	schtasks.exe
3040	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2200	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2440	csrss.exe
2228	csrss.exe
2704	csrss.exe
1556	csrss.exe
1724	csrss.exe
2308	csrss.exe
1304	csrss.exe
1324	csrss.exe
3060	csrss.exe
2300	csrss.exe
2900	csrss.exe
2844	csrss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	2440	csrss.exe
Token: SeDebugPrivilege	2228	csrss.exe
Token: SeDebugPrivilege	2704	csrss.exe
Token: SeDebugPrivilege	1556	csrss.exe
Token: SeDebugPrivilege	1724	csrss.exe
Token: SeDebugPrivilege	2308	csrss.exe
Token: SeDebugPrivilege	1304	csrss.exe
Token: SeDebugPrivilege	1324	csrss.exe
Token: SeDebugPrivilege	3060	csrss.exe
Token: SeDebugPrivilege	2300	csrss.exe
Token: SeDebugPrivilege	2900	csrss.exe
Token: SeDebugPrivilege	2844	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2084	2200	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2200 wrote to memory of 2084	2200	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2200 wrote to memory of 2084	2200	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2084 wrote to memory of 888	2084	cmd.exe	63
PID 2084 wrote to memory of 888	2084	cmd.exe	63
PID 2084 wrote to memory of 888	2084	cmd.exe	63
PID 2084 wrote to memory of 2440	2084	cmd.exe	64
PID 2084 wrote to memory of 2440	2084	cmd.exe	64
PID 2084 wrote to memory of 2440	2084	cmd.exe	64
PID 2440 wrote to memory of 472	2440	csrss.exe	65
PID 2440 wrote to memory of 472	2440	csrss.exe	65
PID 2440 wrote to memory of 472	2440	csrss.exe	65
PID 2440 wrote to memory of 3052	2440	csrss.exe	66
PID 2440 wrote to memory of 3052	2440	csrss.exe	66
PID 2440 wrote to memory of 3052	2440	csrss.exe	66
PID 472 wrote to memory of 2228	472	WScript.exe	67
PID 472 wrote to memory of 2228	472	WScript.exe	67
PID 472 wrote to memory of 2228	472	WScript.exe	67
PID 2228 wrote to memory of 3004	2228	csrss.exe	68
PID 2228 wrote to memory of 3004	2228	csrss.exe	68
PID 2228 wrote to memory of 3004	2228	csrss.exe	68
PID 2228 wrote to memory of 908	2228	csrss.exe	69
PID 2228 wrote to memory of 908	2228	csrss.exe	69
PID 2228 wrote to memory of 908	2228	csrss.exe	69
PID 3004 wrote to memory of 2704	3004	WScript.exe	70
PID 3004 wrote to memory of 2704	3004	WScript.exe	70
PID 3004 wrote to memory of 2704	3004	WScript.exe	70
PID 2704 wrote to memory of 2696	2704	csrss.exe	71
PID 2704 wrote to memory of 2696	2704	csrss.exe	71
PID 2704 wrote to memory of 2696	2704	csrss.exe	71
PID 2704 wrote to memory of 1532	2704	csrss.exe	72
PID 2704 wrote to memory of 1532	2704	csrss.exe	72
PID 2704 wrote to memory of 1532	2704	csrss.exe	72
PID 2696 wrote to memory of 1556	2696	WScript.exe	73
PID 2696 wrote to memory of 1556	2696	WScript.exe	73
PID 2696 wrote to memory of 1556	2696	WScript.exe	73
PID 1556 wrote to memory of 936	1556	csrss.exe	74
PID 1556 wrote to memory of 936	1556	csrss.exe	74
PID 1556 wrote to memory of 936	1556	csrss.exe	74
PID 1556 wrote to memory of 304	1556	csrss.exe	75
PID 1556 wrote to memory of 304	1556	csrss.exe	75
PID 1556 wrote to memory of 304	1556	csrss.exe	75
PID 936 wrote to memory of 1724	936	WScript.exe	76
PID 936 wrote to memory of 1724	936	WScript.exe	76
PID 936 wrote to memory of 1724	936	WScript.exe	76
PID 1724 wrote to memory of 2316	1724	csrss.exe	77
PID 1724 wrote to memory of 2316	1724	csrss.exe	77
PID 1724 wrote to memory of 2316	1724	csrss.exe	77
PID 1724 wrote to memory of 2560	1724	csrss.exe	78
PID 1724 wrote to memory of 2560	1724	csrss.exe	78
PID 1724 wrote to memory of 2560	1724	csrss.exe	78
PID 2316 wrote to memory of 2308	2316	WScript.exe	79
PID 2316 wrote to memory of 2308	2316	WScript.exe	79
PID 2316 wrote to memory of 2308	2316	WScript.exe	79
PID 2308 wrote to memory of 2636	2308	csrss.exe	80
PID 2308 wrote to memory of 2636	2308	csrss.exe	80
PID 2308 wrote to memory of 2636	2308	csrss.exe	80
PID 2308 wrote to memory of 960	2308	csrss.exe	81
PID 2308 wrote to memory of 960	2308	csrss.exe	81
PID 2308 wrote to memory of 960	2308	csrss.exe	81
PID 2636 wrote to memory of 1304	2636	WScript.exe	82
PID 2636 wrote to memory of 1304	2636	WScript.exe	82
PID 2636 wrote to memory of 1304	2636	WScript.exe	82
PID 1304 wrote to memory of 1788	1304	csrss.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
"C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:888
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c9bc20-789a-4fa6-9d64-d909f5fcce8f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:472
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ebc29b8-7aed-450c-96d2-c3d775f1fa23.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697912f8-40d3-47c8-bf02-111fedc0fce8.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d592bc-1461-45d8-ac68-37bcba5b245c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4c18a51-0d53-48e1-a402-eec41c9309fd.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4015ecf5-95eb-4354-a459-6899f1766038.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d587994-acdb-4c8b-b8ec-ec09940c4a6b.vbs"
        16⤵
        
        PID:1788
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f64c532-eae9-4348-a72f-a22bc038a3fe.vbs"
        18⤵
        
        PID:2176
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a931a192-550f-47d9-bfa9-71995871598a.vbs"
        20⤵
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2201db-c164-40cd-ac6f-f58080b44138.vbs"
        22⤵
        
        PID:2216
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7124601a-e3db-4610-8b14-e4e35e31a54c.vbs"
        24⤵
        
        PID:3036
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50577ba0-7a73-481f-b919-c5546c0091da.vbs"
        26⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a906930-42c8-483e-8f11-5cb948b00984.vbs"
        26⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f007646-5052-43b4-86de-6f295502405e.vbs"
        24⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6dfe9ec-7fb1-40da-8df2-ab6d92eb7f73.vbs"
        22⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3daf8f3c-6e4b-4f8b-a55e-60aeff79ed1f.vbs"
        20⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cbdd7d-f5aa-497e-b6a5-a7982cb348c2.vbs"
        18⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\702ca2db-f4ae-4102-a93b-fddf75f9d9af.vbs"
        16⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66d94020-53da-4076-8b02-8aa9d392e1d0.vbs"
        14⤵
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f405577-8845-40ea-9bfa-6e231e8dbe11.vbs"
        12⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28245841-5a20-4a3b-973e-9582a813ebba.vbs"
        10⤵
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc1d0b48-a0d7-4334-a3e4-f0da1714fc23.vbs"
        8⤵
        
        PID:1532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26279728-d3ec-4d1f-b641-546cbe128031.vbs"
        6⤵
        
        PID:908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a73cff61-282e-49db-830f-bdbf71f11f82.vbs"
      4⤵
      PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\security\database\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\security\database\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\it-IT\RCXF97A.tmp

Filesize
885KB

MD5
385c39cd8725c240f6e03a1329057d63

SHA1
e1ba432892ddf5da513780488861f2d39a8b7a64

SHA256
437dc4d5a1894a1078dc15e69098f831ecd38931e1546f0d84eb9007ef695f90

SHA512
f677d0fc45a42498fd1014a81e25680b87d37fc756f2c294cd84f0e1597c1393fa1814277a72f5938a66c0017727bab1c7943057d814e702274e24e871750131

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe

Filesize
885KB

MD5
63fa59f7c83ec1df2eac00cc85696830

SHA1
799e9ea365e4ad95c05d21e275e72438882ad776

SHA256
f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

SHA512
0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f64c532-eae9-4348-a72f-a22bc038a3fe.vbs

Filesize
748B

MD5
b47ccd115c933bb9da53d15aa6985ac3

SHA1
5ac76e0f27db7d88c95b76b73d29c2c732806ab8

SHA256
849c43520e15b5973e034c8c3c1a8a568998ce21f672904977c07ba5ebea4347

SHA512
77575995480aaabfdec650afd266975caa3ab8df1ec868b6b304228ba53e18d3671b53f8c45b43dd8ec3fc73553ed8be94cfc418e42efde964683f2b4a318a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\4015ecf5-95eb-4354-a459-6899f1766038.vbs

Filesize
748B

MD5
146d417fafc14758411477840d7f988e

SHA1
2c463139fbc8e151e93a09533cc59b815c8617c8

SHA256
d54472cb10a953e065efb1446e7290b36e5e0a8dc2336387a31ede980da355ec

SHA512
f9c7ea68df0144d5ee480ce504ecc5faa5f2e76701d07893bda3d38dc5023ad94aadcb9f4142326cbb912856ec8709166f49c5b1eefea97081f11bc6fa0c2e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50577ba0-7a73-481f-b919-c5546c0091da.vbs

Filesize
748B

MD5
6e3649e3b8b4c2f31bad181f5b3dffe6

SHA1
3653eecd3dd38fb883f031b23bcc7d2bc40ff337

SHA256
3188ad08fd6359532af5f6659a6360e71ad187be520b5c473f8605ad3edb7cff

SHA512
1a5cdd41ab765ed31e4fee5f7888c87ff68b047263dc5afce7d0b6e203e075797a7dd4f29e7f73939dd5c71e532f2c78004728fa127c2da15b8242f9c75bec4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ebc29b8-7aed-450c-96d2-c3d775f1fa23.vbs

Filesize
748B

MD5
8a7706a923852c0b69e335f8a21184ab

SHA1
cbda921b1db980ac8e764440252f40e6e96a7ea3

SHA256
2f7fcb5e86897bcc3ea9c188460936d3772ea34ff37b88ec5acaec159633dfe8

SHA512
d13cc2e4dd1591b8d7b83a57d87e26afbaf2b6376149bfd38f50dfedbbd0db1412c0f3656873b4d5a283d6848f1732492f58c9482bf81163a3b9d45db61dea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\697912f8-40d3-47c8-bf02-111fedc0fce8.vbs

Filesize
748B

MD5
334c9fdecfc50c391e04d01b95b9e82c

SHA1
4d3218fb121d441f2643e620b31ad91972b276f6

SHA256
7b0a0eb312edf86196d5a5db9a67f49289ec9e80a8e3a5b68e631e29946b0094

SHA512
6ea4b2e8eb2385b6d3d5c7c734a739c6b73a6240a76014bf3bbacc8ec845f9ec875bb503e1f7fb652a47bd29617e9f9edda3bd4f9ae4f569afcf2891e76fbe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7124601a-e3db-4610-8b14-e4e35e31a54c.vbs

Filesize
748B

MD5
7263f240b5c1472ee3274ccce38c87de

SHA1
0547866c3dd3316608d17415d304cfa18576da49

SHA256
359a59a80fec3d490de9da2fe6393315bdf4471a8e57a5550b53bb59054cd290

SHA512
8eb250fcde4af3f5c668b2f8905aeba253abdc3e62277f8f02423ef754958cf87b4d67dec21e1fe1d80374fd2715d630178dec094be6ff34a79b46dc2f189cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d587994-acdb-4c8b-b8ec-ec09940c4a6b.vbs

Filesize
748B

MD5
a6afde7d800ee08691d5c6268f6bbbe7

SHA1
58d28d9409004eb40961b44478f7ac9135c53151

SHA256
e3a845dee8e3cba7b7e9849989f1d1836d731b72947569bcb85451d3466e06c9

SHA512
6f34b3af61615897f7471f966a2d4c7a91632312d24132dfd2d06ad67ba840fdd70465b259fb91a6f395ab05780604f29afb1e55d3b849c80b4fa330408d7591

Download Submit
C:\Users\Admin\AppData\Local\Temp\88d592bc-1461-45d8-ac68-37bcba5b245c.vbs

Filesize
748B

MD5
b8993bfc5fa7fd06d3ed0c7d5f8db315

SHA1
66b4875c000db6ee9abf5a682e06c75f4d874b90

SHA256
0494ad83585e3a90aaaf1dcb739c77b79e269f6d29da0f4bd75643b0868ed265

SHA512
386697cd8b2b050992fcfd552d984fd5a696e41850dbd15184c86e0685420efd3686770d90eb1582a0009c22bbaf3addaf6d9d5fa00b29818d8d435aec63053b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d2201db-c164-40cd-ac6f-f58080b44138.vbs

Filesize
748B

MD5
fae6d7b795170edc49be72983fdc2dc6

SHA1
95a9965376263770972c7827b6dacfcf9b15b1ff

SHA256
9afcdba7cbb4967419bcf2b6311ea41a75fd0cb3fc1116d80c5536b6f895d65e

SHA512
3388a5ef8f446a38a78e3e4ef34906f3aaabf65c46104ca92288a208e659aeea8ffd4377ec3c6d9ae5336cbe40863716f7ea007dc3f1475a915359352bdcc8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a73cff61-282e-49db-830f-bdbf71f11f82.vbs

Filesize
524B

MD5
7f27c93862f1c9b136938c1d17d2e8ad

SHA1
8598130e02857d6dd160af4d4838ae3a04d495df

SHA256
f2c2feed03a726d13155ee32f190232b15d0cd503904177eca10e0137bce2f40

SHA512
5e5e9736faebdb3d43dd353a87e17845bf6586c54abd23c8d84cf39fb38bbc5857813e2e77164329e55e154779d1692d156ddde9f28f95a25ce8db387b417b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\a931a192-550f-47d9-bfa9-71995871598a.vbs

Filesize
748B

MD5
b359b43a014817fba944c38e4f6ea2f7

SHA1
9d54aac534b7fef93f4f16b118c45e6453992db8

SHA256
b348312a038f7fba2d30c10214e016c1b8bcdbe8b910f9f499e4c62b30c0d3cf

SHA512
8fe60a153b5390530f92d08d53c8e5620f57a7699e8a3b8e53dda105bc48bf52be8128254019a49fc4d3e431b273d7d00302bdeedf443a81d62bea4896f51fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c593460a1cc26114da33333df493100821daf2d0.exe

Filesize
885KB

MD5
a46471e6ef6734b90d643e67c31813bd

SHA1
a76c6d7db88a762ec23049737f89c25c580467bf

SHA256
9eb6ec6fea9d3a6a617003d2f4bea24109a23363412b0d4bd2008166cc911652

SHA512
ac52f94860889c005edca0a7d51ac37b2cdbb3af4ffbce529c1a54ae9df3888583e2590e22dd30671a53a8c10a3f6d5e11015a266d31bc57b3c2a91757b1a0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c18a51-0d53-48e1-a402-eec41c9309fd.vbs

Filesize
748B

MD5
a3ac0e4ee8c8c2dc4fc99afdc82cb8e4

SHA1
439941840ca83f6ae3c494ee2907ff7c5db2d82c

SHA256
92e5f4deb7960c930dab02d85770c92848bcecee139b072caea671010cde3ad4

SHA512
337e8c6cde998c99483c9896f4f6c37cc7b6d0acb03d720d1c420ececf5f1ebcca301542b174475f693462679c7163da39cf72b624d06c5d698277ddd26bf986

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4c9bc20-789a-4fa6-9d64-d909f5fcce8f.vbs

Filesize
748B

MD5
6b953e706e1714f62e92bba1536279a0

SHA1
439f3f6b566617a3c49b10848484307f2fbc68b2

SHA256
4055d4cafbb24082ef10c98a3f1c646f65f9d1e8dab404779e2c9183409d84c9

SHA512
23fee942c29e8f1ad4c933310951c674af95e3945ac79f28a8844000b1cbc002ff41b6c1bd5412b77931129d9319c8e8eb61cbd417685682abac8b0b8a9a91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat

Filesize
237B

MD5
01ae633f4ed36bf4c8d833288edb2d48

SHA1
3c00df75ef2461386583acc8b7d6016d863c2211

SHA256
b9cfac0b1d84ea9d2fe01ca76654788bc767423d80de8970e12e2e7756beae6c

SHA512
11c00e2087036c2136976ce75c37284dceb696f0e29a610514b401dd7bd001e95661f8913c806d4363efb06806341a63e6461778769725e347141023edc38564

Download Submit
memory/1304-224-0x00000000000B0000-0x0000000000194000-memory.dmp

Filesize
912KB

Download
memory/1324-236-0x0000000000080000-0x0000000000164000-memory.dmp

Filesize
912KB

Download
memory/1556-188-0x0000000000010000-0x00000000000F4000-memory.dmp

Filesize
912KB

Download
memory/1724-200-0x0000000000A60000-0x0000000000B44000-memory.dmp

Filesize
912KB

Download
memory/2200-7-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2200-5-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/2200-9-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2200-8-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2200-1-0x0000000000ED0000-0x0000000000FB4000-memory.dmp

Filesize
912KB

Download
memory/2200-6-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/2200-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2200-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2200-151-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-4-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2228-165-0x0000000000990000-0x0000000000A74000-memory.dmp

Filesize
912KB

Download
memory/2300-260-0x00000000003E0000-0x00000000004C4000-memory.dmp

Filesize
912KB

Download
memory/2308-212-0x00000000011D0000-0x00000000012B4000-memory.dmp

Filesize
912KB

Download
memory/2440-154-0x0000000000210000-0x00000000002F4000-memory.dmp

Filesize
912KB

Download
memory/2844-284-0x0000000000AC0000-0x0000000000BA4000-memory.dmp

Filesize
912KB

Download
memory/2900-272-0x0000000000890000-0x0000000000974000-memory.dmp

Filesize
912KB

Download
memory/3060-248-0x0000000000CC0000-0x0000000000DA4000-memory.dmp

Filesize
912KB

Download