dcrat | 9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Size

1.7MB
MD5

2ee8bf268f50f97db5231d71e3023c37
SHA1

0dd823f60b08b9b307c4be5f59c3b275caa2e1d5
SHA256

9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7
SHA512

294877dccd8c04d4c134ca29a9ebebe746f4b4a67bd7761cd581f27fcfe6a7b0866cde35d1c819e1f63b9fb829424e6d77711a494427ea73b84c53b48a2d6f0a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4144	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4144	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4144	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4144	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4144	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4144	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4436-1-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023c80-33.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
2660	powershell.exe
4684	powershell.exe
3456	powershell.exe
1528	powershell.exe
1852	powershell.exe
244	powershell.exe
2016	powershell.exe
60	powershell.exe
2004	powershell.exe
3624	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 10 IoCs

pid	Process
1304	winlogon.exe
4512	winlogon.exe
1644	winlogon.exe
2936	winlogon.exe
2168	winlogon.exe
436	winlogon.exe
3088	winlogon.exe
4384	winlogon.exe
1484	winlogon.exe
1512	winlogon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\cc11b995f2a76d	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXA4B0.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXA4B1.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\RCXA26C.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\RCXA26D.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\886983d96e3d3e	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3256	schtasks.exe
3020	schtasks.exe
5000	schtasks.exe
1012	schtasks.exe
3984	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
3456	powershell.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2004	powershell.exe
2004	powershell.exe
2660	powershell.exe
2660	powershell.exe
244	powershell.exe
244	powershell.exe
1852	powershell.exe
1852	powershell.exe
2016	powershell.exe
2016	powershell.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4684	powershell.exe
4684	powershell.exe
60	powershell.exe
60	powershell.exe
2116	powershell.exe
2116	powershell.exe
1528	powershell.exe
1528	powershell.exe
2016	powershell.exe
3624	powershell.exe
3624	powershell.exe
3456	powershell.exe
3456	powershell.exe
2004	powershell.exe
2660	powershell.exe
244	powershell.exe
60	powershell.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
4684	powershell.exe
1852	powershell.exe
2116	powershell.exe
3624	powershell.exe
4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
1528	powershell.exe
1304	winlogon.exe
1304	winlogon.exe
1304	winlogon.exe
1304	winlogon.exe
1304	winlogon.exe
1304	winlogon.exe
1304	winlogon.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1304	winlogon.exe
Token: SeDebugPrivilege	4512	winlogon.exe
Token: SeDebugPrivilege	1644	winlogon.exe
Token: SeDebugPrivilege	2936	winlogon.exe
Token: SeDebugPrivilege	2168	winlogon.exe
Token: SeDebugPrivilege	436	winlogon.exe
Token: SeDebugPrivilege	3088	winlogon.exe
Token: SeDebugPrivilege	4384	winlogon.exe
Token: SeDebugPrivilege	1484	winlogon.exe
Token: SeDebugPrivilege	1512	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3456	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	89
PID 4436 wrote to memory of 3456	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	89
PID 4436 wrote to memory of 1528	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	90
PID 4436 wrote to memory of 1528	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	90
PID 4436 wrote to memory of 1852	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	91
PID 4436 wrote to memory of 1852	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	91
PID 4436 wrote to memory of 2004	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	92
PID 4436 wrote to memory of 2004	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	92
PID 4436 wrote to memory of 244	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	93
PID 4436 wrote to memory of 244	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	93
PID 4436 wrote to memory of 2016	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	94
PID 4436 wrote to memory of 2016	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	94
PID 4436 wrote to memory of 2116	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	95
PID 4436 wrote to memory of 2116	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	95
PID 4436 wrote to memory of 2660	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	96
PID 4436 wrote to memory of 2660	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	96
PID 4436 wrote to memory of 4684	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	97
PID 4436 wrote to memory of 4684	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	97
PID 4436 wrote to memory of 3624	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	98
PID 4436 wrote to memory of 3624	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	98
PID 4436 wrote to memory of 60	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	99
PID 4436 wrote to memory of 60	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	99
PID 4436 wrote to memory of 1304	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	111
PID 4436 wrote to memory of 1304	4436	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	111
PID 1304 wrote to memory of 2904	1304	winlogon.exe	112
PID 1304 wrote to memory of 2904	1304	winlogon.exe	112
PID 1304 wrote to memory of 5092	1304	winlogon.exe	113
PID 1304 wrote to memory of 5092	1304	winlogon.exe	113
PID 2904 wrote to memory of 4512	2904	WScript.exe	120
PID 2904 wrote to memory of 4512	2904	WScript.exe	120
PID 4512 wrote to memory of 2004	4512	winlogon.exe	121
PID 4512 wrote to memory of 2004	4512	winlogon.exe	121
PID 4512 wrote to memory of 3100	4512	winlogon.exe	122
PID 4512 wrote to memory of 3100	4512	winlogon.exe	122
PID 2004 wrote to memory of 1644	2004	WScript.exe	125
PID 2004 wrote to memory of 1644	2004	WScript.exe	125
PID 1644 wrote to memory of 1988	1644	winlogon.exe	126
PID 1644 wrote to memory of 1988	1644	winlogon.exe	126
PID 1644 wrote to memory of 3436	1644	winlogon.exe	127
PID 1644 wrote to memory of 3436	1644	winlogon.exe	127
PID 1988 wrote to memory of 2936	1988	WScript.exe	128
PID 1988 wrote to memory of 2936	1988	WScript.exe	128
PID 2936 wrote to memory of 4588	2936	winlogon.exe	129
PID 2936 wrote to memory of 4588	2936	winlogon.exe	129
PID 2936 wrote to memory of 4584	2936	winlogon.exe	130
PID 2936 wrote to memory of 4584	2936	winlogon.exe	130
PID 4588 wrote to memory of 2168	4588	WScript.exe	131
PID 4588 wrote to memory of 2168	4588	WScript.exe	131
PID 2168 wrote to memory of 3232	2168	winlogon.exe	132
PID 2168 wrote to memory of 3232	2168	winlogon.exe	132
PID 2168 wrote to memory of 4836	2168	winlogon.exe	133
PID 2168 wrote to memory of 4836	2168	winlogon.exe	133
PID 3232 wrote to memory of 436	3232	WScript.exe	134
PID 3232 wrote to memory of 436	3232	WScript.exe	134
PID 436 wrote to memory of 4552	436	winlogon.exe	135
PID 436 wrote to memory of 4552	436	winlogon.exe	135
PID 436 wrote to memory of 3244	436	winlogon.exe	136
PID 436 wrote to memory of 3244	436	winlogon.exe	136
PID 4552 wrote to memory of 3088	4552	WScript.exe	137
PID 4552 wrote to memory of 3088	4552	WScript.exe	137
PID 3088 wrote to memory of 2120	3088	winlogon.exe	138
PID 3088 wrote to memory of 2120	3088	winlogon.exe	138
PID 3088 wrote to memory of 3928	3088	winlogon.exe	139
PID 3088 wrote to memory of 3928	3088	winlogon.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
"C:\Users\Admin\AppData\Local\Temp\9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f4d85d6-4664-4c1f-bca5-35ea0c570eec.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c89aef8-c730-4c1b-8e8d-de52c76089a3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3691058-9389-438f-aeb7-121e63c53dc4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b084c7b7-8aa4-4f8c-acf8-983e41eee5c7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7a2fb4-5e33-45f0-9cf0-4256f01ee1a1.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\952574e7-352b-4b9f-be86-c4f1532ac5e9.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74462417-0cf3-457b-9735-f5d3a3e5319f.vbs"
        15⤵
        
        PID:2120
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d96080bb-7c91-4af7-a266-fd69e61608e3.vbs"
        17⤵
        
        PID:4484
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cadbea43-1bbb-4df7-aee4-654fc1331e87.vbs"
        19⤵
        
        PID:2016
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d95bfc3-7886-447c-b034-91b418672f17.vbs"
        21⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8ec1bb-159d-4012-917e-f91d0c8a642b.vbs"
        21⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9ab095-9ee5-4524-bcc3-158ca5f92c57.vbs"
        19⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6053e458-3f40-4d3b-a52b-39a5021ba40f.vbs"
        17⤵
        
        PID:3496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\180f3021-1f47-4138-bf24-60500d3eb9e3.vbs"
        15⤵
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b154c1a3-8e65-4a4e-8005-07fcdb7a2218.vbs"
        13⤵
        
        PID:3244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8999d5c2-3809-4935-8950-6724ee66c7b9.vbs"
        11⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d379ab78-eb71-420d-934d-ac7dfeefa458.vbs"
        9⤵
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a03f852-4ce2-446e-b6e9-5cb51de28039.vbs"
        7⤵
        
        PID:3436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3d36b5-6a5f-4f29-92e6-67122b167c9c.vbs"
        5⤵
        
        PID:3100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf4f654-aacc-4a7b-8e31-e6bb3049d897.vbs"
    3⤵
    PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a5e1f1efff867a822c6a57ee928dd66

SHA1
b017854d8a1deb05f1447e9dd6002902fb66bf6b

SHA256
8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957

SHA512
25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f7a2fb4-5e33-45f0-9cf0-4256f01ee1a1.vbs

Filesize
752B

MD5
31812b18b8a6417be50dfa5aa9b58617

SHA1
7e166e03cb25300104c461ee38d7c073e9235b09

SHA256
15196be53959643952934555f3c4789dd9d3c36b8004571519dbf34e1cb8b372

SHA512
86f57f4345b3f8c886a1acdfbb2bb8d94dcf62c7fccff1209c15333d43cbe4b097923a6d233f6601a406a561aff25635a5a1b5efd5dbf42e1102047538b9d105

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c89aef8-c730-4c1b-8e8d-de52c76089a3.vbs

Filesize
752B

MD5
d5a22cad4c2b0c9cd58a74413a7d8604

SHA1
da7706d1ebcac55f3c4a198ac6d522cbb45ef846

SHA256
803e80d1e86aa4c48f284faae3dc016a28ba30df69d7c0821ae7cb7142ac2f4d

SHA512
30467452a67ad7bf6d4d986e4d970fda86ed838a713f268c9192823016d2d92e9e49c73ce69e188037d03920486686931ebe53d5d00f33a050ed4477bb653827

Download Submit
C:\Users\Admin\AppData\Local\Temp\74462417-0cf3-457b-9735-f5d3a3e5319f.vbs

Filesize
752B

MD5
9bf72517d3dc2ed97c2559155a8eb3c1

SHA1
32da7f5bb19b176f6784d7087833d03a7fdc098d

SHA256
bc685baac6b52fb36aa9f133d766fd7e4ba83a3f4d8806968de49d7dbb982b8d

SHA512
c765ec75b121db51efebc67dbfb6adf8d82e4479644426010cbe34bc984939acc41d243516961ce0e012b934e3c21b2cd627f0a89f094bb98496486c24097ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f4d85d6-4664-4c1f-bca5-35ea0c570eec.vbs

Filesize
752B

MD5
4082d0411226705fa7f68a42ad12ad50

SHA1
30bc4ce276cc6065ec94280f3ad06768fc54b48f

SHA256
f8655fe0fc14e1977b66222ec2dc81c4075558d9f63265703434fbfad6c1a515

SHA512
ba906c62aea9fe89dd9f53793faeab64727803ef0a789d00fd6892ad4df12151063c703c899651e55c5bd8dfb113535b7b0d19b6af6de18556cd61adf92e8331

Download Submit
C:\Users\Admin\AppData\Local\Temp\952574e7-352b-4b9f-be86-c4f1532ac5e9.vbs

Filesize
751B

MD5
d3a0e6a168ea8884ff52eb4a4ce3cde1

SHA1
1fd64256eb83780016c01aa101a73eafb480c864

SHA256
b71d3c8b4c7ac51009b8d36d29c45fe4154e3786ea111e0ef9becb5df38a5fc3

SHA512
46e6d2b67d1b2c7ae64b6d4fc362a66bec1d65e317476455fa1f6218f9cee04d350393db69c5a4787fecb7457c14a6215b9ef2fc49913ef6547a3544c75e54d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d95bfc3-7886-447c-b034-91b418672f17.vbs

Filesize
752B

MD5
f066973d40889559749526df5d2abfb1

SHA1
b811c6ce58537512f8cfbe90906560aec1a393f6

SHA256
97c6e24752fbc5ede5416ee39678935721c1ac1924037e1810aff5217df7d490

SHA512
d0a8070bd36ecdd7d04b893c9bfcd99acfbda11e54d3808ab77c9c39fded051c9b0f8caaf9beeb5c39b8a84c8b4667bf5023351353f39399bc2d2bec80892c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_naifwzwm.jeb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b084c7b7-8aa4-4f8c-acf8-983e41eee5c7.vbs

Filesize
752B

MD5
f4fc7fa719fc9cb99f7eda06a838b477

SHA1
44550d71a6a1bfbb778c008b36f3ad7cdb0af240

SHA256
d1c3fbde02f564e21f27ac6447760e96f406d44d8d3af0a7445925d27b48e85b

SHA512
e175be9b8d38ff2467b2057c362566d5f03df4f8543503b7eaece183983df6a5eb45a9f7413733b77512d9be9e8f47671fceab137780ad7655e3d52aff7606f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cadbea43-1bbb-4df7-aee4-654fc1331e87.vbs

Filesize
752B

MD5
b6bc8a04edf0942bbb4888bcbe4b3325

SHA1
587f838e747ca67647c9cf0e2bd97c4b386be0a3

SHA256
9028896d5ceab98e10edf44294e28caf73c0837cfdff6f6187b67bc368139d2c

SHA512
ded2b91e586518ba173c142350120e836bdb910c38608dfaaa15b9eea96b7611df45b15b53425c2c98b312dd4043696b7057ce19bc9a30c81ac933d031145f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbf4f654-aacc-4a7b-8e31-e6bb3049d897.vbs

Filesize
528B

MD5
0827647d89caf90d523e85f0b4cf0b63

SHA1
e1bf890e89a61e0269950a50fb6e6a5da4b51b6a

SHA256
25fb13ddcb50551527a8daf971712940bead06176206d516639dc1413a8bcd8b

SHA512
5e765cd8d6b735c331dc5e3dddbac6a36395abb795519fb1d96364a6ff1cad6c87609dfa6da8cf67ca6aaa2fb6a23ae933b901015dfe6bb9042e4ba96f1bf19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3691058-9389-438f-aeb7-121e63c53dc4.vbs

Filesize
752B

MD5
8b7a0e1354082ded254f38dbe85a5eea

SHA1
3e56c7c1ae52396ecd99c295dc230dacae7acd46

SHA256
8602dfb1adffb265dad831f219a1e8a479c1f774dfa6176c448bcdf2b80c53bc

SHA512
5a860374d4a0e5eeed28197c455213a928615daa743201da55c28f010692530bdadec0bdd1c43d6270afa0a14810821ea87582e3ff97d84c3df4ba16ea5ec19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96080bb-7c91-4af7-a266-fd69e61608e3.vbs

Filesize
752B

MD5
d2fa5c44f9554cce00f9ffadabc5ccfb

SHA1
45b669eb213d4b5bb9655da1d8487886576974cf

SHA256
c579c232b2e973b9342ccd2fd1a6c31d2cdce9385fe356683a6194599f36d069

SHA512
8eec845391069852293cd13ab2f58ac83fe647f22e5fb9f6e08db3e0848a083c75223c850b5316f56ca7abd60527cbc12e82da4c826fc13fa552686890491174

Download Submit
C:\Windows\Speech_OneCore\Engines\TTS\en-US\csrss.exe

Filesize
1.7MB

MD5
2ee8bf268f50f97db5231d71e3023c37

SHA1
0dd823f60b08b9b307c4be5f59c3b275caa2e1d5

SHA256
9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7

SHA512
294877dccd8c04d4c134ca29a9ebebe746f4b4a67bd7761cd581f27fcfe6a7b0866cde35d1c819e1f63b9fb829424e6d77711a494427ea73b84c53b48a2d6f0a

Download Submit
memory/1644-261-0x000000001B2B0000-0x000000001B2C2000-memory.dmp

Filesize
72KB

Download
memory/2660-123-0x0000019F75BB0000-0x0000019F75BD2000-memory.dmp

Filesize
136KB

Download
memory/4436-13-0x000000001BA10000-0x000000001BF38000-memory.dmp

Filesize
5.2MB

Download
memory/4436-1-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-24-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-22-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-19-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/4436-15-0x000000001B5F0000-0x000000001B5FA000-memory.dmp

Filesize
40KB

Download
memory/4436-16-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/4436-17-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/4436-18-0x000000001B720000-0x000000001B72C000-memory.dmp

Filesize
48KB

Download
memory/4436-10-0x000000001AE40000-0x000000001AE48000-memory.dmp

Filesize
32KB

Download
memory/4436-216-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-23-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-14-0x000000001B4E0000-0x000000001B4EC000-memory.dmp

Filesize
48KB

Download
memory/4436-9-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/4436-0-0x00007FFCC6063000-0x00007FFCC6065000-memory.dmp

Filesize
8KB

Download
memory/4436-5-0x000000001ACD0000-0x000000001ACD8000-memory.dmp

Filesize
32KB

Download
memory/4436-8-0x000000001AE20000-0x000000001AE30000-memory.dmp

Filesize
64KB

Download
memory/4436-7-0x000000001AE00000-0x000000001AE16000-memory.dmp

Filesize
88KB

Download
memory/4436-6-0x000000001ADF0000-0x000000001AE00000-memory.dmp

Filesize
64KB

Download
memory/4436-4-0x000000001B460000-0x000000001B4B0000-memory.dmp

Filesize
320KB

Download
memory/4436-3-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/4436-2-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-12-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

Filesize
72KB

Download