dcrat | f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Size

885KB
MD5

63fa59f7c83ec1df2eac00cc85696830
SHA1

799e9ea365e4ad95c05d21e275e72438882ad776
SHA256

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6
SHA512

0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2228	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2228	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2316-1-0x00000000012C0000-0x00000000013A4000-memory.dmp	dcrat
behavioral1/files/0x00060000000190d6-18.dat	dcrat
behavioral1/files/0x0006000000019629-137.dat	dcrat
behavioral1/memory/2200-153-0x0000000001270000-0x0000000001354000-memory.dmp	dcrat
behavioral1/memory/2816-175-0x00000000001F0000-0x00000000002D4000-memory.dmp	dcrat
behavioral1/memory/2144-187-0x0000000000F70000-0x0000000001054000-memory.dmp	dcrat
behavioral1/memory/2268-221-0x0000000000FC0000-0x00000000010A4000-memory.dmp	dcrat
behavioral1/memory/2548-233-0x00000000002C0000-0x00000000003A4000-memory.dmp	dcrat
behavioral1/memory/2512-245-0x00000000011C0000-0x00000000012A4000-memory.dmp	dcrat
behavioral1/memory/2472-279-0x0000000000020000-0x0000000000104000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2200	wininit.exe
3056	wininit.exe
2816	wininit.exe
2144	wininit.exe
2272	wininit.exe
1448	wininit.exe
2268	wininit.exe
2548	wininit.exe
2512	wininit.exe
2968	wininit.exe
2100	wininit.exe
2472	wininit.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX540F.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Internet Explorer\en-US\explorer.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Internet Explorer\en-US\7a0fd90576e088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\24dbde2999530e	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX53F4.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX540E.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX53F2.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX53F3.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX53F5.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Performance\886983d96e3d3e	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Logs\DPX\RCX53DE.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Logs\DPX\RCX53DF.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Performance\RCX5408.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Performance\RCX5409.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Logs\DPX\dwm.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Logs\DPX\6cb0b6c459d5d3	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Performance\csrss.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
604	schtasks.exe
2556	schtasks.exe
1168	schtasks.exe
1984	schtasks.exe
2072	schtasks.exe
2696	schtasks.exe
1908	schtasks.exe
1204	schtasks.exe
2368	schtasks.exe
2548	schtasks.exe
2312	schtasks.exe
1652	schtasks.exe
2184	schtasks.exe
2884	schtasks.exe
2740	schtasks.exe
2776	schtasks.exe
1224	schtasks.exe
2988	schtasks.exe
2128	schtasks.exe
2000	schtasks.exe
2100	schtasks.exe
1824	schtasks.exe
2704	schtasks.exe
2916	schtasks.exe
2108	schtasks.exe
1448	schtasks.exe
1736	schtasks.exe
2764	schtasks.exe
2588	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
2200	wininit.exe
3056	wininit.exe
2816	wininit.exe
2144	wininit.exe
2272	wininit.exe
1448	wininit.exe
2268	wininit.exe
2548	wininit.exe
2512	wininit.exe
2968	wininit.exe
2100	wininit.exe
2472	wininit.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	2200	wininit.exe
Token: SeDebugPrivilege	3056	wininit.exe
Token: SeDebugPrivilege	2816	wininit.exe
Token: SeDebugPrivilege	2144	wininit.exe
Token: SeDebugPrivilege	2272	wininit.exe
Token: SeDebugPrivilege	1448	wininit.exe
Token: SeDebugPrivilege	2268	wininit.exe
Token: SeDebugPrivilege	2548	wininit.exe
Token: SeDebugPrivilege	2512	wininit.exe
Token: SeDebugPrivilege	2968	wininit.exe
Token: SeDebugPrivilege	2100	wininit.exe
Token: SeDebugPrivilege	2472	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2200	2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2316 wrote to memory of 2200	2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2316 wrote to memory of 2200	2316	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	61
PID 2200 wrote to memory of 1512	2200	wininit.exe	62
PID 2200 wrote to memory of 1512	2200	wininit.exe	62
PID 2200 wrote to memory of 1512	2200	wininit.exe	62
PID 2200 wrote to memory of 2964	2200	wininit.exe	63
PID 2200 wrote to memory of 2964	2200	wininit.exe	63
PID 2200 wrote to memory of 2964	2200	wininit.exe	63
PID 1512 wrote to memory of 3056	1512	WScript.exe	64
PID 1512 wrote to memory of 3056	1512	WScript.exe	64
PID 1512 wrote to memory of 3056	1512	WScript.exe	64
PID 3056 wrote to memory of 2256	3056	wininit.exe	65
PID 3056 wrote to memory of 2256	3056	wininit.exe	65
PID 3056 wrote to memory of 2256	3056	wininit.exe	65
PID 3056 wrote to memory of 2736	3056	wininit.exe	66
PID 3056 wrote to memory of 2736	3056	wininit.exe	66
PID 3056 wrote to memory of 2736	3056	wininit.exe	66
PID 2256 wrote to memory of 2816	2256	WScript.exe	67
PID 2256 wrote to memory of 2816	2256	WScript.exe	67
PID 2256 wrote to memory of 2816	2256	WScript.exe	67
PID 2816 wrote to memory of 1600	2816	wininit.exe	68
PID 2816 wrote to memory of 1600	2816	wininit.exe	68
PID 2816 wrote to memory of 1600	2816	wininit.exe	68
PID 2816 wrote to memory of 2180	2816	wininit.exe	69
PID 2816 wrote to memory of 2180	2816	wininit.exe	69
PID 2816 wrote to memory of 2180	2816	wininit.exe	69
PID 1600 wrote to memory of 2144	1600	WScript.exe	70
PID 1600 wrote to memory of 2144	1600	WScript.exe	70
PID 1600 wrote to memory of 2144	1600	WScript.exe	70
PID 2144 wrote to memory of 1468	2144	wininit.exe	71
PID 2144 wrote to memory of 1468	2144	wininit.exe	71
PID 2144 wrote to memory of 1468	2144	wininit.exe	71
PID 2144 wrote to memory of 2416	2144	wininit.exe	72
PID 2144 wrote to memory of 2416	2144	wininit.exe	72
PID 2144 wrote to memory of 2416	2144	wininit.exe	72
PID 1468 wrote to memory of 2272	1468	WScript.exe	73
PID 1468 wrote to memory of 2272	1468	WScript.exe	73
PID 1468 wrote to memory of 2272	1468	WScript.exe	73
PID 2272 wrote to memory of 1644	2272	wininit.exe	74
PID 2272 wrote to memory of 1644	2272	wininit.exe	74
PID 2272 wrote to memory of 1644	2272	wininit.exe	74
PID 2272 wrote to memory of 2808	2272	wininit.exe	75
PID 2272 wrote to memory of 2808	2272	wininit.exe	75
PID 2272 wrote to memory of 2808	2272	wininit.exe	75
PID 1644 wrote to memory of 1448	1644	WScript.exe	76
PID 1644 wrote to memory of 1448	1644	WScript.exe	76
PID 1644 wrote to memory of 1448	1644	WScript.exe	76
PID 1448 wrote to memory of 2456	1448	wininit.exe	77
PID 1448 wrote to memory of 2456	1448	wininit.exe	77
PID 1448 wrote to memory of 2456	1448	wininit.exe	77
PID 1448 wrote to memory of 696	1448	wininit.exe	78
PID 1448 wrote to memory of 696	1448	wininit.exe	78
PID 1448 wrote to memory of 696	1448	wininit.exe	78
PID 2456 wrote to memory of 2268	2456	WScript.exe	79
PID 2456 wrote to memory of 2268	2456	WScript.exe	79
PID 2456 wrote to memory of 2268	2456	WScript.exe	79
PID 2268 wrote to memory of 2460	2268	wininit.exe	80
PID 2268 wrote to memory of 2460	2268	wininit.exe	80
PID 2268 wrote to memory of 2460	2268	wininit.exe	80
PID 2268 wrote to memory of 2576	2268	wininit.exe	81
PID 2268 wrote to memory of 2576	2268	wininit.exe	81
PID 2268 wrote to memory of 2576	2268	wininit.exe	81
PID 2460 wrote to memory of 2548	2460	WScript.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
"C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files\Windows Portable Devices\wininit.exe
  "C:\Program Files\Windows Portable Devices\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5a08a80-56b4-4b66-8c6e-d56119abbc13.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Program Files\Windows Portable Devices\wininit.exe
      "C:\Program Files\Windows Portable Devices\wininit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\599ad9c1-2864-4aab-95bd-230ff119fe7d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93e96575-6424-404c-8519-cd1255e1799f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e285a64-88fc-498a-a679-35512d7869d8.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dded1eb2-38d5-4b99-a742-fd8a718d7629.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\293ae5e3-fe37-49f6-979c-6a7583a83866.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f9fd31-02dc-4ad6-a4d8-ec1760d4876d.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fec8fd-cc49-4b57-ba1a-f490cbf3ca62.vbs"
        17⤵
        
        PID:920
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f1326c-7ff6-4ec5-91b9-f1b67a4c298a.vbs"
        19⤵
        
        PID:2516
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd618fe9-dfec-4dcb-973d-7e30742ebf02.vbs"
        21⤵
        
        PID:2292
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b874419-07a9-4c75-aee2-f017ca1714b5.vbs"
        23⤵
        
        PID:2440
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982d758b-0075-446a-91f6-ec842401f334.vbs"
        25⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62a69ed2-1233-48a0-8534-05e2e1c363a3.vbs"
        25⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84bb6cc4-ad8e-42a6-bcae-4480276df5db.vbs"
        23⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63ba84e5-d462-44a2-8bb6-de65f071b92f.vbs"
        21⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aaa62e1-3de1-4b26-ba3d-2273ef646a90.vbs"
        19⤵
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb93e6d-ab41-4939-ab16-cb3184e16ef6.vbs"
        17⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777c2aa7-998f-45d9-bcd7-f060efe85f3f.vbs"
        15⤵
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714a221d-6242-4a73-96af-bba30dddbad1.vbs"
        13⤵
        
        PID:696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a672423a-d1fb-4977-82bb-b58616028202.vbs"
        11⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a54999b2-258e-4727-9c1c-5ed17775a4e0.vbs"
        9⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daeedb0e-039e-435b-b584-b7728f03895c.vbs"
        7⤵
        
        PID:2180
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\921bd1ef-07e6-4261-b4b1-4751d8f50391.vbs"
        5⤵
        
        PID:2736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b955c5b3-f641-47ed-8ceb-a51fd23ead7a.vbs"
    3⤵
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DPX\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\DPX\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX540E.tmp

Filesize
885KB

MD5
dc5e5d98c8b489f7be525fb87d8e1de2

SHA1
d2d1aa9a8680b18923a2b7797387de7a98e517a5

SHA256
2b37e8b5c4f19f6734219f01671884c71189d466318856429291016521d27ca5

SHA512
b3fc55a7a34dd0a1b6eaf0f8af776e4a5ba490b08c20cb2d995199174f07aaf01c45264ce0fe7fbe7ac6bfff8eb5e1ea19c3981d40a9fd07d36eed035f86358b

Download Submit
C:\Program Files\Internet Explorer\en-US\explorer.exe

Filesize
885KB

MD5
63fa59f7c83ec1df2eac00cc85696830

SHA1
799e9ea365e4ad95c05d21e275e72438882ad776

SHA256
f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

SHA512
0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e285a64-88fc-498a-a679-35512d7869d8.vbs

Filesize
729B

MD5
6ca2d7be7101247f1b299f96c99a2011

SHA1
700434c0c4c9836cdb4e720a51b0b543ceeedb08

SHA256
0267b5b695b6875d4c47f702efb3917f544c58441edf784057ea2503432d665d

SHA512
f22ad9e1ab9c8ef6ee680ec1b8fa38609d16fabbbd70186cabdd7ecd7f17d8402ba274dc0091e37815a0b073513f2508a96e2da0b86ad30ed2a82a6fdf6a8b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\293ae5e3-fe37-49f6-979c-6a7583a83866.vbs

Filesize
729B

MD5
7df5e189146b0803abb46d5118a0d38d

SHA1
89c800c71cf66a52ee2956291fe589c5f7879d6d

SHA256
85816290f20447734406e881830ffe3a168ead8a24a2a52b313fea9eddf225e0

SHA512
42b738e10085c44d1aea097e98fbe04296a9f3a6eae80770703aadae95af50b16d1201a9f5b53b218948a0a4617b0f064932220c69cf91e33b6b6097c40372c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\599ad9c1-2864-4aab-95bd-230ff119fe7d.vbs

Filesize
729B

MD5
404d5a695ae518c3e42ddbb272c6b2d8

SHA1
80b1e123d48b071f4e5944ac2700ffe56c675eb8

SHA256
6a84b7394ed23da4faaf3312e53053a78d51e2a7bfdd7c93b5ec22355c1135a6

SHA512
96122125e098a57980b724d842a1357e05e780bc453c62f2eacfb2a3bbd91a64528d212c916a5b25c054d2a365f75b41753b46f61daba5b51011c80f76bdf444

Download Submit
C:\Users\Admin\AppData\Local\Temp\93e96575-6424-404c-8519-cd1255e1799f.vbs

Filesize
729B

MD5
32a2f37aa33d1df22b9ceed7fbfa9e20

SHA1
f66f22def3842e722bcda28d4a35a145a8e27ceb

SHA256
482fabf207c095918db78f7e5f222c2c0bd09d9765a8fa3012285b3b3e15f7e0

SHA512
ad061eb9574e95e8cbac7225d53ad16ca18544c4c7312e3c50b2a8cab30e95f83966f233746f72c5f34e869f6cffe67b98e757cfa7bc94974ea6670e9f3a66ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\93f9fd31-02dc-4ad6-a4d8-ec1760d4876d.vbs

Filesize
729B

MD5
ca76106d88426fc38a5355a634a18770

SHA1
21cb55ac87195f2a94bce7d048e08a9d9659830b

SHA256
9dc7fa320c2e8ae8a6e400876dc5ae003df0ffcf847f4af4ffb591ad452eed2a

SHA512
8d708f5ee3dcf783caa4fb0fc0cc0c6ec4514b40073c03545d18a43c2da590cef8e4720a0ce1fbdc3253f5a7688f2a9ded31dd555678948b738bce2e999193cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\982d758b-0075-446a-91f6-ec842401f334.vbs

Filesize
729B

MD5
60eeea74b1267ee147f5a425de82f4fc

SHA1
731cd074c35349e85009da5784525af9c2ce809a

SHA256
ae8e70633f97316a6dfe31e3b202f84ea5d612872bf3c1ff4d88c54b0b799b92

SHA512
b6bafb9587500cfca900907260ed37f1d913c4312dccbc0838ec1339309486c3134cc451eb91c36f73797270d9abb5467a09b5dad1cfb62fa1c1df3c43896336

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b874419-07a9-4c75-aee2-f017ca1714b5.vbs

Filesize
729B

MD5
cef77d8b7bc0bf30399e724522060911

SHA1
047c328a9bf154c15bc91aca970c796ffda56238

SHA256
c4be582bf927c70b7c7952749275bd1f6d74c421a1bb91b2fe63cc0e27a43899

SHA512
f03bad85299b1d30fbafff3c0c9a3b052a6e199d1f568a8b924cb97fd31058ff96c322f4fc98b6405eaa25f387d5b4a7971624fc083178f3cbf8432df6ea49f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3f1326c-7ff6-4ec5-91b9-f1b67a4c298a.vbs

Filesize
729B

MD5
758b9f133bd291dbdba08fb72caf4694

SHA1
11d90bfbb3d7cc76a05b3aa4cd68eeeac2b37339

SHA256
1330e55244f225109e56fd27df74d0797b96126dc801d270f282a22508dab9cf

SHA512
92dec7603138d45ae2d190d0552549cbcfb214df16dfa10856e74a394ee1b06f10f82d4bdbc194e8f63b1a824d4317e9a2724ec3c2ddd4aa52710b376269d151

Download Submit
C:\Users\Admin\AppData\Local\Temp\b955c5b3-f641-47ed-8ceb-a51fd23ead7a.vbs

Filesize
505B

MD5
133c83ba84a5544eb11f6018e72330f5

SHA1
3902e1289c40c75a303247c400cd114be292dfe2

SHA256
99dc0622687f820f8af34c4659084fbd03f51e7a5085c826852ed5b547a02e3a

SHA512
7a768e2cef3ad24df65b3125266577f7a8b7bbf75e89df568ae45d46f17e508d3b598de41cf6878c8955f9be446b361be4b246ab2aeb1cdd7e56d171645c69a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd618fe9-dfec-4dcb-973d-7e30742ebf02.vbs

Filesize
729B

MD5
610c933a2d9b47a7dbcf2b30ae0b0bf2

SHA1
db0d90e323bd2e3bc9f5430143d2521dd41309ef

SHA256
449e2c2daa1cd6b1da2945f3277bfb002a06aaedb4817d918dc77a6780086bdf

SHA512
8a4697f1efd503b2c46ff46461ff052e9fbe725c5330f7c7d90b7fc6e4497a01f971f00af3576baa2e437dc4da50358ce2443e90c067b8f0d8d8ad461abbcf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5a08a80-56b4-4b66-8c6e-d56119abbc13.vbs

Filesize
729B

MD5
cb075b7126bef60d3ee6a7fb7c2f2df5

SHA1
14495c4751bc03588a3fc9874cc7d488b381a3f3

SHA256
e1f96406b7828015e6d8f73c5f023ffd42582d06e308efc47df626295ed269af

SHA512
d1b7afddcfe4774ed8385c65d0a01c1be41b9138d49b01bf9de97705738fb5f554d8ca656b5fa27c87260029f077939cb4f54f341e7ccd7bdfa0d09e4fddf18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dded1eb2-38d5-4b99-a742-fd8a718d7629.vbs

Filesize
729B

MD5
4bc86b2049de10eb2ffe608cfa1367ae

SHA1
2115775465cb822814d049d64254db90664c7be3

SHA256
8a9c7a9f4f2192784c72ea7c9c90fda3cdd199dc0a541f91ef5602923b67fbcf

SHA512
ef7ae2a71575525400d63c4caf033ee24009b624f232e07b8ae01c8a29575c6cf879c3bf5dc23027deb4663c47a5f0c1f8cc3e2475e1e8bce1699716ac931116

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9fec8fd-cc49-4b57-ba1a-f490cbf3ca62.vbs

Filesize
729B

MD5
64516283c17f8f6f099c7485eb288891

SHA1
9aa90e90fb24c7ceef343d9d06bd0218f4e13beb

SHA256
101f1e980514261b787b35f4bad55d45a03ac3bbea2e5b44b3265c54a0ed8aa2

SHA512
b66e6106a393fd1ee6097bce0c153f757e3c542588031ef05cd24fe46c98ff48dcc68baceb9cbd0be13520ac52e391a173611c846d67e3418be401afd35d2cb4

Download Submit
memory/2144-187-0x0000000000F70000-0x0000000001054000-memory.dmp

Filesize
912KB

Download
memory/2200-153-0x0000000001270000-0x0000000001354000-memory.dmp

Filesize
912KB

Download
memory/2268-221-0x0000000000FC0000-0x00000000010A4000-memory.dmp

Filesize
912KB

Download
memory/2316-151-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-5-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2316-2-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-8-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2316-1-0x00000000012C0000-0x00000000013A4000-memory.dmp

Filesize
912KB

Download
memory/2316-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2316-0-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

Filesize
4KB

Download
memory/2316-9-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2316-6-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2316-7-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2316-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2472-279-0x0000000000020000-0x0000000000104000-memory.dmp

Filesize
912KB

Download
memory/2512-245-0x00000000011C0000-0x00000000012A4000-memory.dmp

Filesize
912KB

Download
memory/2548-233-0x00000000002C0000-0x00000000003A4000-memory.dmp

Filesize
912KB

Download
memory/2816-175-0x00000000001F0000-0x00000000002D4000-memory.dmp

Filesize
912KB

Download