dcrat | cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Size

1.8MB
MD5

37c85ad6a6a43784e086433a06cc85c6
SHA1

c51a7935cd6b16305e125a4b5cc9e162923429bf
SHA256

cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4
SHA512

e6a73a792c99fe1d254c44d7ac00159608d117cf629ecf5c17b4b0eb4c65a0943f45fb6cc6e68d2a0440ed8bcacbc6e189d7ef55eef3a214868c751a69d562a8
SSDEEP

49152:QodoalH3Fh0dZXAZPabJ10r+vJqB1zRIm:Qod93fQwFkhO2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3548	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	3548	schtasks.exe	84

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1600-1-0x0000000000F40000-0x0000000001108000-memory.dmp	dcrat
behavioral2/files/0x00080000000234e8-33.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe
2096	powershell.exe
4120	powershell.exe
2460	powershell.exe
1640	powershell.exe
2768	powershell.exe
972	powershell.exe
964	powershell.exe
8	powershell.exe
2280	powershell.exe
3124	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 11 IoCs

pid	Process
3444	wininit.exe
528	wininit.exe
1392	wininit.exe
4300	wininit.exe
4124	wininit.exe
4468	wininit.exe
5084	wininit.exe
2040	wininit.exe
1600	wininit.exe
1304	wininit.exe
900	wininit.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\spoolsv.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files (x86)\Microsoft.NET\f3b6ecef712a24	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXBE8F.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files (x86)\Windows Portable Devices\19f7b9f4688cdb	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXBE90.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC095.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC096.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\spoolsv.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXC29B.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\wininit.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Windows\RemotePackages\RemoteApps\wininit.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Windows\RemotePackages\RemoteApps\56085415360792	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXC29A.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
208	schtasks.exe
4768	schtasks.exe
372	schtasks.exe
4748	schtasks.exe
5004	schtasks.exe
3476	schtasks.exe
5008	schtasks.exe
3780	schtasks.exe
4352	schtasks.exe
2184	schtasks.exe
2120	schtasks.exe
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
4120	powershell.exe
4120	powershell.exe
2096	powershell.exe
2096	powershell.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2768	powershell.exe
2768	powershell.exe
1640	powershell.exe
1640	powershell.exe
3124	powershell.exe
3124	powershell.exe
1088	powershell.exe
1088	powershell.exe
972	powershell.exe
972	powershell.exe
2460	powershell.exe
2460	powershell.exe
964	powershell.exe
964	powershell.exe
8	powershell.exe
8	powershell.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
964	powershell.exe
2096	powershell.exe
2768	powershell.exe
4120	powershell.exe
1640	powershell.exe
8	powershell.exe
3124	powershell.exe
1088	powershell.exe
2460	powershell.exe
972	powershell.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
3444	wininit.exe
3444	wininit.exe
3444	wininit.exe
3444	wininit.exe
3444	wininit.exe
3444	wininit.exe
3444	wininit.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	3444	wininit.exe
Token: SeDebugPrivilege	528	wininit.exe
Token: SeDebugPrivilege	1392	wininit.exe
Token: SeDebugPrivilege	4300	wininit.exe
Token: SeDebugPrivilege	4124	wininit.exe
Token: SeDebugPrivilege	4468	wininit.exe
Token: SeDebugPrivilege	5084	wininit.exe
Token: SeDebugPrivilege	2040	wininit.exe
Token: SeDebugPrivilege	1600	wininit.exe
Token: SeDebugPrivilege	1304	wininit.exe
Token: SeDebugPrivilege	900	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2280	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	103
PID 1600 wrote to memory of 2280	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	103
PID 1600 wrote to memory of 4120	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	104
PID 1600 wrote to memory of 4120	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	104
PID 1600 wrote to memory of 8	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	105
PID 1600 wrote to memory of 8	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	105
PID 1600 wrote to memory of 2096	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	106
PID 1600 wrote to memory of 2096	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	106
PID 1600 wrote to memory of 964	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	107
PID 1600 wrote to memory of 964	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	107
PID 1600 wrote to memory of 972	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	108
PID 1600 wrote to memory of 972	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	108
PID 1600 wrote to memory of 2768	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	109
PID 1600 wrote to memory of 2768	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	109
PID 1600 wrote to memory of 1640	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	110
PID 1600 wrote to memory of 1640	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	110
PID 1600 wrote to memory of 2460	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	111
PID 1600 wrote to memory of 2460	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	111
PID 1600 wrote to memory of 1088	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	112
PID 1600 wrote to memory of 1088	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	112
PID 1600 wrote to memory of 3124	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	113
PID 1600 wrote to memory of 3124	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	113
PID 1600 wrote to memory of 3444	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	125
PID 1600 wrote to memory of 3444	1600	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	125
PID 3444 wrote to memory of 1784	3444	wininit.exe	127
PID 3444 wrote to memory of 1784	3444	wininit.exe	127
PID 3444 wrote to memory of 1716	3444	wininit.exe	128
PID 3444 wrote to memory of 1716	3444	wininit.exe	128
PID 1784 wrote to memory of 528	1784	WScript.exe	131
PID 1784 wrote to memory of 528	1784	WScript.exe	131
PID 528 wrote to memory of 3128	528	wininit.exe	132
PID 528 wrote to memory of 3128	528	wininit.exe	132
PID 528 wrote to memory of 1832	528	wininit.exe	133
PID 528 wrote to memory of 1832	528	wininit.exe	133
PID 3128 wrote to memory of 1392	3128	WScript.exe	136
PID 3128 wrote to memory of 1392	3128	WScript.exe	136
PID 1392 wrote to memory of 5068	1392	wininit.exe	137
PID 1392 wrote to memory of 5068	1392	wininit.exe	137
PID 1392 wrote to memory of 4304	1392	wininit.exe	138
PID 1392 wrote to memory of 4304	1392	wininit.exe	138
PID 5068 wrote to memory of 4300	5068	WScript.exe	139
PID 5068 wrote to memory of 4300	5068	WScript.exe	139
PID 4300 wrote to memory of 3276	4300	wininit.exe	140
PID 4300 wrote to memory of 3276	4300	wininit.exe	140
PID 4300 wrote to memory of 2156	4300	wininit.exe	141
PID 4300 wrote to memory of 2156	4300	wininit.exe	141
PID 3276 wrote to memory of 4124	3276	WScript.exe	142
PID 3276 wrote to memory of 4124	3276	WScript.exe	142
PID 4124 wrote to memory of 3224	4124	wininit.exe	143
PID 4124 wrote to memory of 3224	4124	wininit.exe	143
PID 4124 wrote to memory of 2688	4124	wininit.exe	144
PID 4124 wrote to memory of 2688	4124	wininit.exe	144
PID 3224 wrote to memory of 4468	3224	WScript.exe	145
PID 3224 wrote to memory of 4468	3224	WScript.exe	145
PID 4468 wrote to memory of 728	4468	wininit.exe	146
PID 4468 wrote to memory of 728	4468	wininit.exe	146
PID 4468 wrote to memory of 404	4468	wininit.exe	147
PID 4468 wrote to memory of 404	4468	wininit.exe	147
PID 728 wrote to memory of 5084	728	WScript.exe	148
PID 728 wrote to memory of 5084	728	WScript.exe	148
PID 5084 wrote to memory of 3504	5084	wininit.exe	149
PID 5084 wrote to memory of 3504	5084	wininit.exe	149
PID 5084 wrote to memory of 2380	5084	wininit.exe	150
PID 5084 wrote to memory of 2380	5084	wininit.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
"C:\Users\Admin\AppData\Local\Temp\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\RemotePackages\RemoteApps\wininit.exe
  "C:\Windows\RemotePackages\RemoteApps\wininit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57afb95c-b067-418e-be86-c88338b4370b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\RemotePackages\RemoteApps\wininit.exe
      C:\Windows\RemotePackages\RemoteApps\wininit.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\041a484c-5ff8-4bb5-b788-a23699da50b1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e686c5ca-a263-4c58-9902-e8a8123736fb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd6810bb-2a8f-4844-bfb2-3e2a476f2c62.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0c5779-ca0c-490b-9d3a-2f2aef7801df.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1bbe8c-d2fc-42ed-80a2-0c0dca2ad19d.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1e17f6-6a59-4f94-bb33-7a2a00d55a4a.vbs"
        15⤵
        
        PID:3504
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3b59fdf-4e37-48fa-a5a8-b2a89bbde1ae.vbs"
        17⤵
        
        PID:2196
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b375dc-fdb5-404a-8cd3-0104f58dcb12.vbs"
        19⤵
        
        PID:4648
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7643b88d-edf8-4a59-8223-c6914fb5076d.vbs"
        21⤵
        
        PID:3500
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        
        C:\Windows\RemotePackages\RemoteApps\wininit.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61a32f7-f148-48d8-91b6-c1bae1a161f1.vbs"
        23⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\675f7172-bd5e-46e8-a657-abdfb35736d0.vbs"
        23⤵
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19880f8d-bcba-4a7e-a0be-548e59ecd0f2.vbs"
        21⤵
        
        PID:428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0d92be0-d288-4ab0-b537-54f294768671.vbs"
        19⤵
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af821532-1052-4798-acc2-d0719e81e692.vbs"
        17⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b591036a-aaa1-4a5f-a2bb-d0e62b1db18e.vbs"
        15⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf40025b-e46b-4a26-b3a6-286e5f5a4219.vbs"
        13⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a99aeba-af7a-4912-8ddb-3fa8d591fce5.vbs"
        11⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c8821eb-b99c-4b14-9388-44e5467abb95.vbs"
        9⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\971f99c7-cb54-4957-ad59-22b36c88e563.vbs"
        7⤵
        
        PID:4304
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77dd12ad-42e9-4c44-aeb8-d8e9e422b40b.vbs"
        5⤵
        
        PID:1832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa1a0f19-4c13-4e09-a5d3-4e723859ad71.vbs"
    3⤵
    PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4c" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4c" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\041a484c-5ff8-4bb5-b788-a23699da50b1.vbs

Filesize
723B

MD5
e97b307262e1865e422bd69103daadbc

SHA1
e95211479a9c92381dcb8229e699afeef21130d0

SHA256
681cbe5d6668fb763eed2664bc6d74be8735cf541f122d94c4ba800c7ba2658c

SHA512
b985ffa172773b9fab56eb2b2ae03ce21f42f5137d5152bed2332e30c597f4f94b4d3c4ae349fb488805fc4df573f7a796a821b4d7505c9284e539db158a0c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a1e17f6-6a59-4f94-bb33-7a2a00d55a4a.vbs

Filesize
724B

MD5
6c8d4b85af41cd4534d73b0e4a8f4aa4

SHA1
e72ae8ad8ddc0ad6cd4813af774593dc68624d2b

SHA256
e71bfe72b302d128dda041426a13cfdb843c88d0e372e5b7c9a7d0668934a272

SHA512
93bf5d13842d0d7a180c2a497920dbf846a1b6baafd3ab9bf0a47330e508166f438e5c2715d12717302ab8d6eec7a71dc1a5615376fbc5603c1697f28e0de971

Download Submit
C:\Users\Admin\AppData\Local\Temp\57afb95c-b067-418e-be86-c88338b4370b.vbs

Filesize
724B

MD5
2fbfc25dc6b83c22e0e1c3e30b3e6a77

SHA1
505078df9fd7208926fffc9987efebc70a02b02d

SHA256
3d55e25a2cd2cb8275d5d2ef5b57e8e719db97a35def522cd04ba920f0933ff8

SHA512
6c8e1a742a8658b10ced6d33630597b79b04474d54295804a334383ccd50b1aa11b5c908a7626abe68ad9c5a33e8c5753f7ff56e4751702fb0298ae57627a560

Download Submit
C:\Users\Admin\AppData\Local\Temp\59b375dc-fdb5-404a-8cd3-0104f58dcb12.vbs

Filesize
724B

MD5
1ac107153321f5ea11ed51c1b2eccdbd

SHA1
7286d12689772b7c2f6df7138bb320b19d6ab61b

SHA256
ffc37f8ee5a7e610f7b8976bb190d0235f6736b2d9f7863f7301db03cbc3afe7

SHA512
74d584e5ec77132004e408216c0d35c5cf57c63e24aefc9d2e3a3037d221be64de64392bbfee46277428725e2ea5bbbf4dd8a6514d0338521e06e6c692ac4242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7643b88d-edf8-4a59-8223-c6914fb5076d.vbs

Filesize
724B

MD5
1db366f09209f7bd54fe2f464bcf6de9

SHA1
42522b5ac55914e3eb661c22ab418df5f1563fde

SHA256
2ea2f336372f9653506a4f3b064f5a3f1d83cd69b643ea4a5f70db737681fb1f

SHA512
87bd190cd89f93ab186e6e155458a2417980b4dbcba75d00beb565ed876316a3a660086008bcdd0c733fc8c90ae627c435866aab1f60ca0db0b73b8395913f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a0c5779-ca0c-490b-9d3a-2f2aef7801df.vbs

Filesize
724B

MD5
d5db6e74044305998c5efd8231f5066a

SHA1
d0d286fe6004c1014037e6daa0085673f42b5084

SHA256
2fd0df8ea8a2368fc73a6385caa2c9a9a5939d5c33dbd3f5146c6f3a7867e419

SHA512
71d69516422e840f803e29cc35b02b6d38e95ad5fdb6b1ce487ebf69c7d6134a41fcdc12941e403a504d8541b51ea41308fb838c3aa3b847ed633dd18286200b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXBC8A.tmp

Filesize
1.8MB

MD5
37c85ad6a6a43784e086433a06cc85c6

SHA1
c51a7935cd6b16305e125a4b5cc9e162923429bf

SHA256
cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4

SHA512
e6a73a792c99fe1d254c44d7ac00159608d117cf629ecf5c17b4b0eb4c65a0943f45fb6cc6e68d2a0440ed8bcacbc6e189d7ef55eef3a214868c751a69d562a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1mxgvll.2gj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab1bbe8c-d2fc-42ed-80a2-0c0dca2ad19d.vbs

Filesize
724B

MD5
26494c1409908f3840bcd42b02c47931

SHA1
569a55f63df2bc45766ecaa1656fda6943a5d580

SHA256
87075a749610fbaa6b90b1f543e1913fca9e7b410f5745cb932406589bba1369

SHA512
471e621b0a70c91457579eeea4e4d7bccc163e98aeb6ce6337455b1ab9fe9a5c129604c02f843bd567f27d2595de0c649082c12565e844b06b558379adc5be8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d61a32f7-f148-48d8-91b6-c1bae1a161f1.vbs

Filesize
723B

MD5
a57e6b7c08abc584596f729678ebbf42

SHA1
53c53989ffd78a75b3a154e098eec4d9a1a57259

SHA256
d926603ba10e1626b25938754096d467ce7c936d28a0c9910d41b7e3ac264708

SHA512
9a1f7e56a990084313049d96454d0bd9c95e292af666fe486fb548366d56336e34c63eb1b99903eea906de7e00aa026491e866ade47de59d0a7fee97a230bb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b59fdf-4e37-48fa-a5a8-b2a89bbde1ae.vbs

Filesize
724B

MD5
aac2fa5874be717928092774f7756e61

SHA1
f0f76470e5b93fe32798053c69b1c2ab653b985e

SHA256
99951021c220785ae051450b52e0f7394f5e75065c5cbe58949dfe7782032c62

SHA512
edbd79ece2326c1f64c3c200bcfe3265e5adf5eb1d8f3d7a58efc171a367ab2dff54f20295457a5c7d31982e8ff3a9038794cd298b4c9efd0d9ca2ef0a21b831

Download Submit
C:\Users\Admin\AppData\Local\Temp\e686c5ca-a263-4c58-9902-e8a8123736fb.vbs

Filesize
724B

MD5
b879be093bafdd117e0e1d9e15ae935d

SHA1
d252b13a22b30a965fb7b9fbb4352338da19a460

SHA256
d179ad48a5ad02429a2f2e29fdedfdba0eb22bdf3ee41ecb08bb01e24959a848

SHA512
af033f71da97996b61649127bfb87a0a4b2c45428bd0a3e03c2a7904a700a7ceb5de04d2d74164f3a4ffcb22ee093234fa91946abc171cca6fe0e68849b8bdd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa1a0f19-4c13-4e09-a5d3-4e723859ad71.vbs

Filesize
500B

MD5
fd75213b13483e88d7d450c9151a1b8d

SHA1
c3f38832adbcc792791cf1d17dedf53ae4bee1e6

SHA256
0f15b1a1d946988a80e3812b75bcc5d4a0ae57e88d3fbd281be0a6ecf3340bd0

SHA512
bb0c151e0b8cb52ec018e654e228292e28dc6ce376176caaa65c5e572362e6b5e57b15b735ea60b9539fffcca0874a79769bd0d3a2264dafd4721eacca9e6dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd6810bb-2a8f-4844-bfb2-3e2a476f2c62.vbs

Filesize
724B

MD5
eeb43957b3151aa6117e36f269aa0539

SHA1
a4168f5e770d92197b52651712a513c73d6df88a

SHA256
6a459cb67f1ecd6f7c99e2afe9e234d0414d78276bedb0378b52f83b80c80f50

SHA512
c79a098e6478e384939e3cf2cc5563e5930dab3af76ce4d746113782639bd794e1ec6451b4432b4a47fa30fe189b2d6625dff15de8125f98d720da70e3737fb0

Download Submit
memory/528-278-0x000000001BD40000-0x000000001BD52000-memory.dmp

Filesize
72KB

Download
memory/1392-290-0x0000000002760000-0x0000000002772000-memory.dmp

Filesize
72KB

Download
memory/1600-14-0x000000001CA70000-0x000000001CF98000-memory.dmp

Filesize
5.2MB

Download
memory/1600-9-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

Filesize
64KB

Download
memory/1600-241-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1600-1-0x0000000000F40000-0x0000000001108000-memory.dmp

Filesize
1.8MB

Download
memory/1600-23-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1600-16-0x000000001C650000-0x000000001C65A000-memory.dmp

Filesize
40KB

Download
memory/1600-17-0x000000001C660000-0x000000001C66E000-memory.dmp

Filesize
56KB

Download
memory/1600-18-0x000000001C670000-0x000000001C678000-memory.dmp

Filesize
32KB

Download
memory/1600-19-0x000000001C780000-0x000000001C78C000-memory.dmp

Filesize
48KB

Download
memory/1600-22-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1600-15-0x000000001C540000-0x000000001C54C000-memory.dmp

Filesize
48KB

Download
memory/1600-0-0x00007FF9FBA03000-0x00007FF9FBA05000-memory.dmp

Filesize
8KB

Download
memory/1600-13-0x000000001C510000-0x000000001C522000-memory.dmp

Filesize
72KB

Download
memory/1600-11-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

Filesize
32KB

Download
memory/1600-10-0x000000001C390000-0x000000001C39C000-memory.dmp

Filesize
48KB

Download
memory/1600-2-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1600-4-0x000000001C3C0000-0x000000001C410000-memory.dmp

Filesize
320KB

Download
memory/1600-3-0x0000000003190000-0x00000000031AC000-memory.dmp

Filesize
112KB

Download
memory/1600-364-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/1600-7-0x000000001C370000-0x000000001C386000-memory.dmp

Filesize
88KB

Download
memory/1600-6-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/1600-5-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/1600-8-0x0000000003280000-0x0000000003292000-memory.dmp

Filesize
72KB

Download
memory/2040-352-0x0000000003050000-0x0000000003062000-memory.dmp

Filesize
72KB

Download
memory/2768-130-0x000001F69B2C0000-0x000001F69B2E2000-memory.dmp

Filesize
136KB

Download
memory/3444-242-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

Filesize
72KB

Download
memory/4124-325-0x000000001C170000-0x000000001C272000-memory.dmp

Filesize
1.0MB

Download
memory/4124-314-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/4300-312-0x000000001CD00000-0x000000001CE02000-memory.dmp

Filesize
1.0MB

Download
memory/4468-338-0x000000001C160000-0x000000001C262000-memory.dmp

Filesize
1.0MB

Download
memory/4468-339-0x000000001C160000-0x000000001C262000-memory.dmp

Filesize
1.0MB

Download
memory/4468-327-0x000000001B010000-0x000000001B022000-memory.dmp

Filesize
72KB

Download