dcrat | 30b269ab236535ccb2035e6c2b66655cb30889a92b2218de90e22725a127c19b

Analysis

max time kernel
8s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Size

1.2MB
MD5

6783cedfbb7ee848a0bb6e5f9e849945
SHA1

cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5
SHA256

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd
SHA512

be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d
SSDEEP

24576:CgUVDQapmJamx98IhSf5QdINv5dHnG3xu:C7DyfONvfu

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	5104	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3164-1-0x0000000000BD0000-0x0000000000D0E000-memory.dmp	dcrat
C:\odt\csrss.exe	dcrat
C:\odt\csrss.exe	dcrat
C:\odt\csrss.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\079de3863119e4afda620d62ef93296b7abf7f5d.exe	dcrat
C:\odt\csrss.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\079de3863119e4afda620d62ef93296b7abf7f5d.exe	dcrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Drops file in Program Files directory 3 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\csrss.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File opened for modification	C:\Program Files (x86)\Google\csrss.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3688	schtasks.exe
844	schtasks.exe
2392	schtasks.exe
1508	schtasks.exe
2372	schtasks.exe
3800	schtasks.exe
1752	schtasks.exe
1068	schtasks.exe
3888	schtasks.exe
3692	schtasks.exe
1736	schtasks.exe
3636	schtasks.exe
1208	schtasks.exe
4876	schtasks.exe
4248	schtasks.exe
976	schtasks.exe
4736	schtasks.exe
1652	schtasks.exe
880	schtasks.exe
4612	schtasks.exe
2980	schtasks.exe
2760	schtasks.exe
3796	schtasks.exe
1156	schtasks.exe
2672	schtasks.exe
1436	schtasks.exe
3064	schtasks.exe
4532	schtasks.exe
4560	schtasks.exe
4800	schtasks.exe
3400	schtasks.exe
2592	schtasks.exe
864	schtasks.exe
3452	schtasks.exe
2880	schtasks.exe
4192	schtasks.exe
4948	schtasks.exe
920	schtasks.exe
4416	schtasks.exe
3340	schtasks.exe
1960	schtasks.exe
2108	schtasks.exe
1568	schtasks.exe
548	schtasks.exe
4332	schtasks.exe
1628	schtasks.exe
2416	schtasks.exe
3292	schtasks.exe
2928	schtasks.exe
3108	schtasks.exe
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

pid	process
3164	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
3164	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
3164	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description pid process

Token: SeDebugPrivilege 3164 ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	pid	process
Token: SeDebugPrivilege	3164	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
"C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4J9n8i7fQ3.bat"
2⤵
PID:3600

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3028

C:\odt\csrss.exe
"C:\odt\csrss.exe"
3⤵
PID:1636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fad29a3-ff81-4525-9dd0-cd77dc2b7ce7.vbs"
4⤵
PID:4476

C:\odt\csrss.exe
C:\odt\csrss.exe
5⤵
PID:548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f6caf2-f4e8-4582-bb8d-aad79f12503b.vbs"
6⤵
PID:1156

C:\odt\csrss.exe
C:\odt\csrss.exe
7⤵
PID:3972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ad6d84-10ec-4f0f-b4db-1c3b4b244e6b.vbs"
8⤵
PID:3636

C:\odt\csrss.exe
C:\odt\csrss.exe
9⤵
PID:1960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d6379d2-38ae-4950-b5b5-5d88b5f3af12.vbs"
10⤵
PID:2460

C:\odt\csrss.exe
C:\odt\csrss.exe
11⤵
PID:2440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62470549-80af-45b0-81fb-ce3105052405.vbs"
12⤵
PID:4428

C:\odt\csrss.exe
C:\odt\csrss.exe
13⤵
PID:2868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f551ff32-cec6-4ecc-882d-6386f088184f.vbs"
14⤵
PID:568

C:\odt\csrss.exe
C:\odt\csrss.exe
15⤵
PID:3692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f238e0e-49cc-439d-a0bc-081587f8782e.vbs"
16⤵
PID:380

C:\odt\csrss.exe
C:\odt\csrss.exe
17⤵
PID:1652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af2bea8c-4695-46f7-a465-30db73701aa9.vbs"
18⤵
PID:832

C:\odt\csrss.exe
C:\odt\csrss.exe
19⤵
PID:220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17eb01f5-12b3-43e9-b32c-dd4056201e5c.vbs"
20⤵
PID:1504

C:\odt\csrss.exe
C:\odt\csrss.exe
21⤵
PID:1240

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b81d279f-abd5-4ad3-956c-6c1dea2b950b.vbs"
22⤵
PID:1984

C:\odt\csrss.exe
C:\odt\csrss.exe
23⤵
PID:4040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5596c09-f7f2-4432-a80c-557ed566bf5f.vbs"
24⤵
PID:2400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ff1e862-37aa-4e0f-91c0-379b41925ce4.vbs"
24⤵
PID:3428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bb409e3-8f55-4bdd-a2f8-b02f52cc10eb.vbs"
22⤵
PID:1076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca012a78-1f55-48f0-be4f-90e75f6a64cd.vbs"
20⤵
PID:3936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee790e6a-2cae-4317-b039-821165812a14.vbs"
18⤵
PID:3600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\639326a9-79e8-4bf6-b8df-54618c3c0fb2.vbs"
16⤵
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18aaba23-9198-429f-a294-5efaddc3beb1.vbs"
14⤵
PID:3780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43149c79-17d9-4eb0-bd6a-e4a3f8ff2f16.vbs"
12⤵
PID:4776

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d844f1cd-0d8d-484c-9597-f543a8be7a20.vbs"
10⤵
PID:1152

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daf79edd-e5ea-4d8a-bb18-70775ef44440.vbs"
8⤵
PID:1836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\232683cd-384b-49c8-bf07-1ce8377ca874.vbs"
6⤵
PID:4576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b95c32da-e6a2-4d65-9379-a3480fca66db.vbs"
4⤵
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
Filesize
1KB

MD5
38600effaf6f4a95dd6f8fd12751463b

SHA1
590e9f869c0a5e3861783cb23023f23d9b57bb54

SHA256
e3b9ce7cbc8cf9f43eaf4ed01eb1f8113f7f580a1f4c35d3f01a0de87b9772f4

SHA512
aca30aada4bd5284b619cb06e6d3c1d2d680da9eb6879903595b5f08b8da96cd45a0d64df4e359f1fca0d6aaa2eeabba78ccd36fd039fb1d394f88fbdfe10e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\079de3863119e4afda620d62ef93296b7abf7f5d.exe
Filesize
1.2MB

MD5
b46df1f75815f15e52b1b5dc6be0d494

SHA1
a89333a91d57ebe3aa63173f82eb982682165abd

SHA256
585ecd9d0dff974e76a00e5deb0a3d5e9b738e476383f9e436d90abab649efad

SHA512
31b6c10781e3d5bd62c901a642501376aeb9de1023eb98f5edc51a4fc05517014b91d3944ffe18578d3fd3425dbad0228509b64b5806db9191819a759c024204

Download Submit
C:\Users\Admin\AppData\Local\Temp\079de3863119e4afda620d62ef93296b7abf7f5d.exe
Filesize
442KB

MD5
657312bcc18efbcb8ca394054af9dd37

SHA1
8c619e98d7806bb2780f656fcc65b3402b057153

SHA256
75205090dd67652350f8471e93c37194f2b98ce308227d1e483f587975c07ec0

SHA512
f0781a56dcd758953419e67eeea5e2c3d2db8f1a0b1525820eb79162b90e0aec9ab82b11d9a80cc7b456b6fc9e5bde59d470420c689bd7bbe71813e9af56df60

Download Submit
C:\Users\Admin\AppData\Local\Temp\17eb01f5-12b3-43e9-b32c-dd4056201e5c.vbs
Filesize
691B

MD5
6bccbe46267471335b47790eb5e21ee1

SHA1
861d1f5d3a9f9d5dfa909b9f27e8a3e240fb06df

SHA256
3ea3fa9afa2355c90bbca681ebe881f3a6e378af11b01fef6840faaa981345c4

SHA512
3b27ed39f0e6411e1aa9ff7ea6bbb18c59de6dab4e0320fc3d87f3ddfb484848593023c4d949c109cc36365a4d384883e61e5201c0e1f4478153a46817e22b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\4J9n8i7fQ3.bat
Filesize
181B

MD5
5d09dafb00991f1dc790ee0e180f5e88

SHA1
a955043a74eabf4ff22744db7a5bca4a145c93cf

SHA256
7c0cadd38dedd95ca5aa769408a9488ada6484ce5835502bf97a2b5de0b7ecf3

SHA512
99fa377f79c05704fcfc7d768d8565d5df000f865a5d8d707f04a71d1ea8e3aa6945eefa1246daea0e8ed09c7875659f1fa522774a0fb2441b8346c3614dc5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\62470549-80af-45b0-81fb-ce3105052405.vbs
Filesize
692B

MD5
029bbadcc02a1e66b2edde89b2bc4d2d

SHA1
1e22cdb69ae4ede3d8d02ec9bc8bc09ff8ba9653

SHA256
6a5ec831ada0d0572da80cdd95d95394c5046c89c137ebde0822a0f7e0071256

SHA512
6a2b9377b1075bee9af590c4322c09726507813b8cd9f910ee06029b89a0c840269a9bba70e2a069fb76469ea8963c1f1ec04a53fa2d60a50fd75905cafa5bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fad29a3-ff81-4525-9dd0-cd77dc2b7ce7.vbs
Filesize
692B

MD5
33df5519643cea338e21deb776f4947d

SHA1
e64dfe463c9c8863674e53cb7a4cd52eb71a3d33

SHA256
b7fb2d792ae7e61bb16acd5ba3a4ec0d7fab4035e8f2a14e39b621754fea50bb

SHA512
52db7c3c344bf6ab7883703da306aa86c6d1dc67297446a089e41080ce15d1beb4da2c038c67dcb707e72a634bf1acbbf454a4cf1a637424dcbe1678b3613e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d6379d2-38ae-4950-b5b5-5d88b5f3af12.vbs
Filesize
692B

MD5
62fde26bc714253c00e1cd26ec4ff0fb

SHA1
56c6e265e33b461adab0e53208923b1ec8d72901

SHA256
7414a60e7f97f348de3377f75078264217a0fc6bc27f83727add28ce46b24ddd

SHA512
6679001863f3b52dfbf87ddcb857e7a944df101f6ba7888f5029a24755808d733e808ff493f5fedfd1a31749bd66031950675ddf590c85ee4c87b49b88db4932

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f238e0e-49cc-439d-a0bc-081587f8782e.vbs
Filesize
692B

MD5
9b228b5045b38fcc3184cea3692d4a5f

SHA1
76970426a3301c5dddc46b11827e31bc927b7b62

SHA256
682607a76842bac4e661ab0947353f9e8254cd85ab4689242af6bd05823ab610

SHA512
3e5aa6a0175daf9e402204d45ca5274668e6e840a1c448a1e7474242e39d017311719373b69d8c223410da956a5daaf0cc5b5a47c1e3673a17a06a130fda7396

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5596c09-f7f2-4432-a80c-557ed566bf5f.vbs
Filesize
692B

MD5
a36cea90c83c1e160f638b7848e01738

SHA1
0e406b33826b2a92703a1968b5eba35410cd82a4

SHA256
884a75f001ee8551e4d78388f964d50a1ad8a824f1f38f54e0d19cee9c8a4860

SHA512
a0fd80aae1ab815e57901d1e00f634f081064e2fa6f27de2ee0bf41718272adeb7fb4305acc79882a156a22ed90eaa9ca4f9298830353b7fa980651c72ee69a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\af2bea8c-4695-46f7-a465-30db73701aa9.vbs
Filesize
692B

MD5
989aab46181a891cbc7d8767a3ecbc1e

SHA1
45df0b03c76152cb40596b84e93928b44f5bd845

SHA256
2698ffe8166db7863d1dbf6397afa49f29e96a4f642859d996d09419bc359066

SHA512
024dbfc12ffe42532567f8c7516f9000c7be478c8eefd3c246c77c92ab1dd9ed6d5fffca1f2adb65fe4cdc795c919ae6405c8a5b4cbafcc97c858124ba3c5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\b81d279f-abd5-4ad3-956c-6c1dea2b950b.vbs
Filesize
692B

MD5
bee5ffa0d01981a3233767034b1e80cc

SHA1
d0182a8c98088c719a115b1f9f5a30c547382232

SHA256
91dea28799037828b8a951642332ee8305b896a45e2e1506369582b2e39bf28d

SHA512
11fefda5c9568e4dcac612491390c1eff68fc33b4806a2de8575320c52419447273455efb29ff67b632997df2e50217351beb5b6388b940357a8a75ddcf3b997

Download Submit
C:\Users\Admin\AppData\Local\Temp\b95c32da-e6a2-4d65-9379-a3480fca66db.vbs
Filesize
468B

MD5
ae20590c5d8f60a151624403c402b7b4

SHA1
f048a62c4da9a1ce0deac72db1f1cf893eca10b1

SHA256
96901e5a2b39251992cc1abf18d2ef094cf05456bee90e04d0ee57e0be506991

SHA512
c9041569a8e2a2bca904ea376645199c26852c4adb7dedb626abf71f831bcf5d351354462819dcd2654de9ab595d8ed463261dad5a3ccdb83e0da3b70941cb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4f6caf2-f4e8-4582-bb8d-aad79f12503b.vbs
Filesize
691B

MD5
3901a031b1b3c63ba9a5a0f7a713486a

SHA1
a09c03d688e1620b9c69467e81b1e4b973eb0ff3

SHA256
94234bc7f1d584c4438da6bca959d36926709d01b36cc9604ee5addea95484d1

SHA512
c6d7443b13b73978cbc58d9b1ac5d219ce283881342b53b09ade8976994ba7a0238cf8db5d36c737c3c8357a44babda4ca966569c615014609b01e61031397b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6ad6d84-10ec-4f0f-b4db-1c3b4b244e6b.vbs
Filesize
692B

MD5
1bfd94f23c602ead934fb0e6bc56e0bc

SHA1
032bacb14cc04a5969ea12bafba9f366c30be56e

SHA256
d836811e28b90aeb4b04018905bb54e8d2aa4e0078123fa1a4de9c9e1628360d

SHA512
c72db5a0f56ace0cea16cbfa515e846f4bc0a019a0aa7936bd6968cf7fbdeff2809b2a922007e9b3bfcb9b23ea240070e8f5439fdb9321750e4bdeeb6d237fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f551ff32-cec6-4ecc-882d-6386f088184f.vbs
Filesize
692B

MD5
41cc7e87397162500592be2632682612

SHA1
b798c0b67cd61abb16db777b5c1f06893ac130bf

SHA256
62a13747b3521893f09549c56547c3b5f716d987b18faca99b051fe68b0d87a9

SHA512
303ca23c0c6b7acaef426b1469b921582ff967dc2fb44d43687ea89e93756de071a49c5e4eda0fd6d0fcf8ed5ba035ab35118d696b1ac28aee2bd2c9de40ca65

Download Submit
C:\odt\csrss.exe
Filesize
1.0MB

MD5
61221939af0b03994054b2dc124a905b

SHA1
aaf4ac216e898271e81fb888f955d78e224eedeb

SHA256
5bfb0e82dced45c04ddc642338555d08b7e0404d43cb72d0e91b0691da0d0ae3

SHA512
795e5b879a13691c221069375fca5467edefd8f64c9a43869e5c1e236bf9f27794bfd4f0468bfbdb392eb88a766806f63d48fad80dc6a1e4b62fa11dc8762962

Download Submit
C:\odt\csrss.exe
Filesize
954KB

MD5
9042b5ed8db116190cb339b773004b49

SHA1
9cd223948907e2740f926eeb8dc9402165115570

SHA256
dee1f7d8d119cd1838dd3df661df1f97d0e095b8024d770d32764ad42d84e9fd

SHA512
8a370bfacaee06dceadb6994d9ab4978470d1c9870824d81389b9452aa61402af3d8b2655cdcd0b462ee5009f8fdc4288e3639ce4e89f781126cfa9098f80783

Download Submit
C:\odt\csrss.exe
Filesize
833KB

MD5
36de868d2b31869cd402af993a2a7611

SHA1
00a7f38e86becd50b8a68185140e1418a93c6141

SHA256
11510e99a0b74acaf87ac6309db9179d0c130a8bb6bf6d8d2bea85da95e45c80

SHA512
b418b315a43dfa4a0632d34593d14a23aa29eff055a77d0a2b44dd6d85eab1c3613305ddae30ce81ec35f1e44a0c40b6aa512866a18af1a5fbacf3ecc44f6cc2

Download Submit
C:\odt\csrss.exe
Filesize
1.2MB

MD5
6783cedfbb7ee848a0bb6e5f9e849945

SHA1
cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5

SHA256
ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd

SHA512
be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d

Download Submit
memory/1960-94-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/3164-11-0x000000001B850000-0x000000001B85A000-memory.dmp

Filesize
40KB

Download
memory/3164-56-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/3164-7-0x000000001C540000-0x000000001CA68000-memory.dmp

Filesize
5.2MB

Download
memory/3164-8-0x0000000002ED0000-0x0000000002ED8000-memory.dmp

Filesize
32KB

Download
memory/3164-9-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/3164-10-0x000000001B840000-0x000000001B848000-memory.dmp

Filesize
32KB

Download
memory/3164-15-0x000000001C170000-0x000000001C17C000-memory.dmp

Filesize
48KB

Download
memory/3164-14-0x000000001C160000-0x000000001C16A000-memory.dmp

Filesize
40KB

Download
memory/3164-0-0x00007FF971183000-0x00007FF971185000-memory.dmp

Filesize
8KB

Download
memory/3164-13-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/3164-12-0x000000001B870000-0x000000001B87E000-memory.dmp

Filesize
56KB

Download
memory/3164-6-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

Filesize
72KB

Download
memory/3164-5-0x0000000001500000-0x000000000150C000-memory.dmp

Filesize
48KB

Download
memory/3164-3-0x00000000014D0000-0x00000000014D8000-memory.dmp

Filesize
32KB

Download
memory/3164-4-0x00000000014E0000-0x00000000014EA000-memory.dmp

Filesize
40KB

Download
memory/3164-2-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/3164-1-0x0000000000BD0000-0x0000000000D0E000-memory.dmp

Filesize
1.2MB

Download