dcrat | 35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d735d6b2f34e9a7cd2604d3036ac8486.exe
Size

1.6MB
MD5

d735d6b2f34e9a7cd2604d3036ac8486
SHA1

a9573454a2ad6414594b5b0f8d69e2e82bae35d6
SHA256

c5fa332ed4a6180d87d8b8f63d024a740117ebc2dcacb4e314483013f68fe488
SHA512

d29023f2d896eb06e2e740423396a9fe17d91bd30f7ee2e8f3374cf73d947e8c761c1c48071ade640db2a597c8c17542b94950f57a05cc84bcf47147013eb9a1
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4728	schtasks.exe	88

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/5568-1-0x00000000004A0000-0x0000000000642000-memory.dmp	dcrat
behavioral30/files/0x000900000002423e-28.dat	dcrat
behavioral30/files/0x000c00000002334d-48.dat	dcrat
behavioral30/memory/632-120-0x0000000000FE0000-0x0000000001182000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3592	powershell.exe
2092	powershell.exe
2928	powershell.exe
2456	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	d735d6b2f34e9a7cd2604d3036ac8486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 14 IoCs

pid	Process
632	backgroundTaskHost.exe
5288	backgroundTaskHost.exe
1764	backgroundTaskHost.exe
1856	backgroundTaskHost.exe
4856	backgroundTaskHost.exe
5208	backgroundTaskHost.exe
3068	backgroundTaskHost.exe
2008	backgroundTaskHost.exe
3096	backgroundTaskHost.exe
1012	backgroundTaskHost.exe
2452	backgroundTaskHost.exe
2700	backgroundTaskHost.exe
3860	backgroundTaskHost.exe
1680	backgroundTaskHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	d735d6b2f34e9a7cd2604d3036ac8486.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4812	schtasks.exe
3084	schtasks.exe
4616	schtasks.exe
4580	schtasks.exe
4664	schtasks.exe
1732	schtasks.exe
4804	schtasks.exe
1508	schtasks.exe
1432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
3592	powershell.exe
3592	powershell.exe
2092	powershell.exe
2456	powershell.exe
2092	powershell.exe
2456	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2092	powershell.exe
2456	powershell.exe
3592	powershell.exe
632	backgroundTaskHost.exe
5288	backgroundTaskHost.exe
1764	backgroundTaskHost.exe
1856	backgroundTaskHost.exe
4856	backgroundTaskHost.exe
5208	backgroundTaskHost.exe
3068	backgroundTaskHost.exe
2008	backgroundTaskHost.exe
3096	backgroundTaskHost.exe
1012	backgroundTaskHost.exe
2452	backgroundTaskHost.exe
2700	backgroundTaskHost.exe
3860	backgroundTaskHost.exe
1680	backgroundTaskHost.exe
1680	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	632	backgroundTaskHost.exe
Token: SeDebugPrivilege	5288	backgroundTaskHost.exe
Token: SeDebugPrivilege	1764	backgroundTaskHost.exe
Token: SeDebugPrivilege	1856	backgroundTaskHost.exe
Token: SeDebugPrivilege	4856	backgroundTaskHost.exe
Token: SeDebugPrivilege	5208	backgroundTaskHost.exe
Token: SeDebugPrivilege	3068	backgroundTaskHost.exe
Token: SeDebugPrivilege	2008	backgroundTaskHost.exe
Token: SeDebugPrivilege	3096	backgroundTaskHost.exe
Token: SeDebugPrivilege	1012	backgroundTaskHost.exe
Token: SeDebugPrivilege	2452	backgroundTaskHost.exe
Token: SeDebugPrivilege	2700	backgroundTaskHost.exe
Token: SeDebugPrivilege	3860	backgroundTaskHost.exe
Token: SeDebugPrivilege	1680	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 3592	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	100
PID 5568 wrote to memory of 3592	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	100
PID 5568 wrote to memory of 2092	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	101
PID 5568 wrote to memory of 2092	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	101
PID 5568 wrote to memory of 2928	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	102
PID 5568 wrote to memory of 2928	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	102
PID 5568 wrote to memory of 2456	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	103
PID 5568 wrote to memory of 2456	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	103
PID 5568 wrote to memory of 4112	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	108
PID 5568 wrote to memory of 4112	5568	d735d6b2f34e9a7cd2604d3036ac8486.exe	108
PID 4112 wrote to memory of 2960	4112	cmd.exe	110
PID 4112 wrote to memory of 2960	4112	cmd.exe	110
PID 4112 wrote to memory of 632	4112	cmd.exe	117
PID 4112 wrote to memory of 632	4112	cmd.exe	117
PID 632 wrote to memory of 3400	632	backgroundTaskHost.exe	120
PID 632 wrote to memory of 3400	632	backgroundTaskHost.exe	120
PID 632 wrote to memory of 5056	632	backgroundTaskHost.exe	121
PID 632 wrote to memory of 5056	632	backgroundTaskHost.exe	121
PID 3400 wrote to memory of 5288	3400	WScript.exe	124
PID 3400 wrote to memory of 5288	3400	WScript.exe	124
PID 5288 wrote to memory of 5380	5288	backgroundTaskHost.exe	126
PID 5288 wrote to memory of 5380	5288	backgroundTaskHost.exe	126
PID 5288 wrote to memory of 5964	5288	backgroundTaskHost.exe	127
PID 5288 wrote to memory of 5964	5288	backgroundTaskHost.exe	127
PID 5380 wrote to memory of 1764	5380	WScript.exe	135
PID 5380 wrote to memory of 1764	5380	WScript.exe	135
PID 1764 wrote to memory of 1044	1764	backgroundTaskHost.exe	139
PID 1764 wrote to memory of 1044	1764	backgroundTaskHost.exe	139
PID 1764 wrote to memory of 832	1764	backgroundTaskHost.exe	140
PID 1764 wrote to memory of 832	1764	backgroundTaskHost.exe	140
PID 1044 wrote to memory of 1856	1044	WScript.exe	141
PID 1044 wrote to memory of 1856	1044	WScript.exe	141
PID 1856 wrote to memory of 4116	1856	backgroundTaskHost.exe	143
PID 1856 wrote to memory of 4116	1856	backgroundTaskHost.exe	143
PID 1856 wrote to memory of 2228	1856	backgroundTaskHost.exe	144
PID 1856 wrote to memory of 2228	1856	backgroundTaskHost.exe	144
PID 4116 wrote to memory of 4856	4116	WScript.exe	145
PID 4116 wrote to memory of 4856	4116	WScript.exe	145
PID 4856 wrote to memory of 1428	4856	backgroundTaskHost.exe	147
PID 4856 wrote to memory of 1428	4856	backgroundTaskHost.exe	147
PID 4856 wrote to memory of 4992	4856	backgroundTaskHost.exe	148
PID 4856 wrote to memory of 4992	4856	backgroundTaskHost.exe	148
PID 1428 wrote to memory of 5208	1428	WScript.exe	150
PID 1428 wrote to memory of 5208	1428	WScript.exe	150
PID 5208 wrote to memory of 628	5208	backgroundTaskHost.exe	152
PID 5208 wrote to memory of 628	5208	backgroundTaskHost.exe	152
PID 5208 wrote to memory of 3672	5208	backgroundTaskHost.exe	153
PID 5208 wrote to memory of 3672	5208	backgroundTaskHost.exe	153
PID 628 wrote to memory of 3068	628	WScript.exe	154
PID 628 wrote to memory of 3068	628	WScript.exe	154
PID 3068 wrote to memory of 5596	3068	backgroundTaskHost.exe	156
PID 3068 wrote to memory of 5596	3068	backgroundTaskHost.exe	156
PID 3068 wrote to memory of 4404	3068	backgroundTaskHost.exe	157
PID 3068 wrote to memory of 4404	3068	backgroundTaskHost.exe	157
PID 5596 wrote to memory of 2008	5596	WScript.exe	158
PID 5596 wrote to memory of 2008	5596	WScript.exe	158
PID 2008 wrote to memory of 5256	2008	backgroundTaskHost.exe	160
PID 2008 wrote to memory of 5256	2008	backgroundTaskHost.exe	160
PID 2008 wrote to memory of 1720	2008	backgroundTaskHost.exe	161
PID 2008 wrote to memory of 1720	2008	backgroundTaskHost.exe	161
PID 5256 wrote to memory of 3096	5256	WScript.exe	162
PID 5256 wrote to memory of 3096	5256	WScript.exe	162
PID 3096 wrote to memory of 2692	3096	backgroundTaskHost.exe	164
PID 3096 wrote to memory of 2692	3096	backgroundTaskHost.exe	164

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe
"C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2960
- - C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
    "C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\111e5592-5577-421f-9779-39c58c87515a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5288
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54ca9f67-8851-4fcd-b066-a2f91041fe58.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5380
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57ac00cf-e4ee-4e6e-80d2-685b363d5771.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\737832f7-fe6b-461e-82b9-937073bf5777.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a091561-c7f0-4c73-8d2f-a75d24ce5c4e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26196892-f72d-418e-9aa7-d6f56d6f4a3d.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3654976c-edbb-4522-bdc7-85ea6b811472.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5596
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a155b716-bce1-4e9c-a126-aa1282179fca.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5256
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0628fd2-1d84-4ba8-a6ed-b11d79acae6d.vbs"
        20⤵
        
        PID:2692
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb282602-d5bb-4502-80c9-dda94e7e7920.vbs"
        22⤵
        
        PID:5152
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74904582-68e5-415f-b659-b9008b45b551.vbs"
        24⤵
        
        PID:1876
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d4a4f77-cb61-401d-a5a4-9b4b99b95e06.vbs"
        26⤵
        
        PID:1580
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414b6afb-adf5-4df8-bead-6f81e08e3c1f.vbs"
        28⤵
        
        PID:3276
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87bdef5e-5a4e-4204-a70a-d518147d70b0.vbs"
        30⤵
        
        PID:5776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5199e5a0-0155-4539-bd6e-df7dd3201b20.vbs"
        30⤵
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\680ae014-0d63-4871-8d4b-13bf2c26a787.vbs"
        28⤵
        
        PID:372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f24b1c-0174-42fa-8dba-699865d1bb48.vbs"
        26⤵
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8488651-758b-468b-be08-443bf2929f4c.vbs"
        24⤵
        
        PID:6068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9b77ca-20b1-43ca-b610-6bc44f637e9c.vbs"
        22⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0384932a-efdf-4619-9ceb-ddcb1d763300.vbs"
        20⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8375b5a6-9730-4e32-b51c-df659856db71.vbs"
        18⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f1af2b-3313-4d28-af31-7ccc8ad81b52.vbs"
        16⤵
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3cf1c18-6570-43e4-84f7-55b8e7368ac9.vbs"
        14⤵
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec8a24d-0119-4370-b35e-9399dbb976a0.vbs"
        12⤵
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd225f63-e606-431f-ad2c-9ee4d1da3369.vbs"
        10⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9775ec5-a192-4bf7-93e4-ed81cc61fcce.vbs"
        8⤵
        
        PID:832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1af2ec81-85a2-49ab-983a-aa78b36a2356.vbs"
        6⤵
        
        PID:5964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f510a8f9-ee94-49ca-88a3-d756894f1490.vbs"
      4⤵
      PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe

Filesize
1.6MB

MD5
be6445b2d3bf91138b2f50beab2493ec

SHA1
addc9e841a50fce6d5b169e8acfe13b08b196b36

SHA256
b1be2cb723cebc97bc0b240e33c91d097e85891743c642196fa7e883624b6039

SHA512
90c3352d5f27031a583e8f33bafce8ad6187d532dacd02977c0c862e3190da155f93024568af82b78dd397181641828ce8f21c2db631db9bd9d9b561edf16856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
87d9fe9e5ee685ff2b66e5396fcdcb99

SHA1
0ac74edba86591b97d1a7531c3d2e659f0843b7f

SHA256
f84df996802a7b65b0a58ecd1960f157bdc82f817bae81409eb4184e438ed9b8

SHA512
ce602ffb6822849af961afc13b972d0d344bbfaa50c5fe372cf475f424a9227f788ea64a1dfa9b96d8e01cfa2b7f0f9e695ea001ea37a6c7c235c86931d1cf3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc487a10cbdc629a4f1bf7746fb761db

SHA1
fd57efbd4fec14ee2cd1f7182e44deab3274d93d

SHA256
f8955b8222531e781da46d2073ba029d35c9ea1e9e0afc8aec301ef664cc7ba1

SHA512
bf3671f71474c4c95f8927983d4ed04e5fd62c1cbf0fb374591ddc72bd5ece11edeb8d8086af48827464038748b4ab9c12a3d63daf22523f5f4fc42a73f46b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e5592-5577-421f-9779-39c58c87515a.vbs

Filesize
733B

MD5
8fb1c19520158ca59ee9fb364d27ca38

SHA1
d81e6a2ff78fd1d749b1a6ca3e68e0ba85f59858

SHA256
d411df0490fdc5d7ea5261eb83e6737fda3c1dcfd714b6bb3be893323b5c98e2

SHA512
87100cd812f5f2bcae325731bbe905799cb07c685b1d9aa4432708f22169d7c4f6f4424ffd3d5a5085f15820ca42b78d4ac7fca58fde357f10cc78565d6ac243

Download Submit
C:\Users\Admin\AppData\Local\Temp\26196892-f72d-418e-9aa7-d6f56d6f4a3d.vbs

Filesize
734B

MD5
46f3c6e2acff397277560cebde4c636f

SHA1
012f32b8b7d230b61e748818683caa6086176185

SHA256
146ba5222ec778cdd32b41192d5bdf0bc1392407f8aaae5f6bd3ae605bfb780a

SHA512
a00c310d9f7b78109ea047c7c57f03505842d5b041bc6e64733d2850e1d7801e84f192525290983b34d55583eb2b61e4c998c2420d2fa100ed8488e07266612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3654976c-edbb-4522-bdc7-85ea6b811472.vbs

Filesize
734B

MD5
669889039b50c5df7f9b9b5c3e361313

SHA1
3fdd6367ad013fce7260159c27f42211a9b951af

SHA256
1d61f5f4c81370207864fa33490c3ba7184fae31202a0cc96dbf627b30023524

SHA512
11e521412b1cb16da10b1ae333ae1341fc335a7c1c25b30b23d2dabcedd1c918ae4f859fcd17880831b4cee2180d7386c40159e45407d6dea75bb70243737f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat

Filesize
223B

MD5
aa4d61ab37f636826fec8fd76ffa4d43

SHA1
9d75c45eb0a6047cd555f25fb8dbb3598e49c244

SHA256
d6a00ee9b86950c2825f89e411d7c66dd0952ae161a128699cffd392019c3b7b

SHA512
282c874543cdcdf7cf472d13b45c8c83ab002a300a0d086fc9a947fae6a159feb94368dbb2005259c18d44ee9c3749f7aeee4581acff000950476dc8ae494de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\414b6afb-adf5-4df8-bead-6f81e08e3c1f.vbs

Filesize
734B

MD5
f12f5e7bcf044223d86d8557ea9d49ee

SHA1
f0fb39a678e052b0b6cd50b2ff22ce2b66b3a7b5

SHA256
bd1a70992db8e58ed24300e9282aaf183e6542224fb9d731a9e49e45ccb9c6d0

SHA512
9fcc2aff4ee4d677ce0c901efbdae17686e47442468dac639808a906bf71a62f5d0854365d1197460ece4e24d00ceb492d61ebfe6394628a8d9c1bfa9ece2690

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a091561-c7f0-4c73-8d2f-a75d24ce5c4e.vbs

Filesize
734B

MD5
49bdf8ada191a3dedd7fa89027d3966c

SHA1
a2573cd68aad265e78b1e17337c9134aa8dd0f39

SHA256
994844c34e6cd919090d3a54510c9dc1d417ecf59e1682788836fe0bec21bbc1

SHA512
9768f28ca07f1c0c1820bd2c7c68f9007f32203f224325a7024dd070b9f6b77ef5d59ba822ae0b0e12203218f98e0cb0e3ee394a279e42db918fd9480ccb6c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\54ca9f67-8851-4fcd-b066-a2f91041fe58.vbs

Filesize
734B

MD5
7349012d50ec2159cd3f0b8972102664

SHA1
4679665ee17ea33782931287343ebddc2ccff627

SHA256
afd2459e0b9a933883d8c12fc6734f5f8f6b44efcd7f9d96ff9a5ecaa07e2e4a

SHA512
c387da0ef7175e1392fc2fdfdea09e94700bb9863b8f042021c6ddcfaff46268fa233fa545dcfeb15e6b9c29c8457869a1dec8734e3570aa17e177a992ce69ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\57ac00cf-e4ee-4e6e-80d2-685b363d5771.vbs

Filesize
734B

MD5
ee51c9581644ad1ac096c7b6aeec2b0d

SHA1
2662c64670da878a7523176b1c85c57d2cb9840c

SHA256
beb8b06714b78ccbcb9e268d2c192c84ab9e26f9512eebfb17798128486d6496

SHA512
0c5f7f9abcbe9b58caa46b18fe6a0e18af69b2fc5b711213eb13399525615d03d7779242f577717810eb0bb994f61983280f82e2974fea1cb637b61e603da7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d4a4f77-cb61-401d-a5a4-9b4b99b95e06.vbs

Filesize
734B

MD5
92bac24eee97a1ad539d3fd5c9435aa3

SHA1
28d6ee12c5bf538223d356ebca5ce6ba570cc086

SHA256
5974651e0c0f54f1592ee9e2fc4029d844b2d6ec6cadc5ba4e14c4b568fdb5bb

SHA512
3de5a0b127cfc1d1622d4e774d99a6443e81763a04399e6eb880b0a7553f30004bcd6e54cd552120de12f08f737adb80739fe2e0b53c03bf6de7f17f732c05fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\737832f7-fe6b-461e-82b9-937073bf5777.vbs

Filesize
734B

MD5
03cc8a02bcee575f7d2f1916ad6bd8f2

SHA1
c1b2ea767b28cee81896d05fdaa2926a9b73292e

SHA256
2a978b9f1dddce598cf4bc84ef06f9c9cd23158cbd8ba085d059e2c31defa12f

SHA512
4df48181f73df8b874a2533e039e3ffb812b8886c52723838d67a146964582b12909a39775b6bda52aa515cde143a0c4281b33d4ebcc314d32ca297e18a5b0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\74904582-68e5-415f-b659-b9008b45b551.vbs

Filesize
734B

MD5
f15a9e4c554a16d2b843d0f0fc71eff3

SHA1
43a18385ab4f6032af01edc58092a3ac8b8bfc9f

SHA256
2d60c2c710d919cc419dca401906c1c4c7bc71212d4c50f77ad30e6af22cd533

SHA512
f88ecbcd006738c5152bab93adb8681ac5ce32a3c7104a9e109ca3bb25f6805f290f83782619f7c478a4aa232a839716ff934d19aa49ba3744969442b9b875cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\87bdef5e-5a4e-4204-a70a-d518147d70b0.vbs

Filesize
734B

MD5
efbd2d434bfdcafde1b8a1d863e668b9

SHA1
9d3822105e7df20ef1fc068e53073c8a8e170ff7

SHA256
f0e03b3b3ce6418772acea31ae7b3fde5bf9e82aedc5286bc90013e7ddbe09a2

SHA512
9433e1a8de23c5f3bcd7abfa44b879ae4462c6a985da3bba72874ae64be067c5a6ca169848c0989b4dc1157e911bb2926370741ec2fc3bbba2d64d86084cf7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX60CE.tmp

Filesize
1.6MB

MD5
d735d6b2f34e9a7cd2604d3036ac8486

SHA1
a9573454a2ad6414594b5b0f8d69e2e82bae35d6

SHA256
c5fa332ed4a6180d87d8b8f63d024a740117ebc2dcacb4e314483013f68fe488

SHA512
d29023f2d896eb06e2e740423396a9fe17d91bd30f7ee2e8f3374cf73d947e8c761c1c48071ade640db2a597c8c17542b94950f57a05cc84bcf47147013eb9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5pdt11r.uxy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a155b716-bce1-4e9c-a126-aa1282179fca.vbs

Filesize
734B

MD5
674935ece8ac5cfa8c8f62d39bafcae9

SHA1
dd5ea458a0935108c47e430f75854186c117207d

SHA256
d0378504dfbf8573eb8d8f7348ee81c7d8d966f626aa418f75c86b6690bbc601

SHA512
e027250ef94082d3d4b4b6ee96ac037bf3f2071bd99f2d18b9359a1d140293f5055c01e6f2f3bf2805116bfc5746068d35e6c49757df7aafef7d859c8a29bb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb282602-d5bb-4502-80c9-dda94e7e7920.vbs

Filesize
734B

MD5
1310985930fbea31f177542992de6612

SHA1
684d3fdbf5a0c5fe1f13e72a6a32b72a46a0c87b

SHA256
c44a5084234db329a9f927254899b2857ea8a9b518fc26b31834566a386d9d7a

SHA512
262fa281f876d23bb48fa81d5e190a08ab23b97de3f2f8fac4cdc82787e7d1c162c2ec6b44912a44ced4f8f408eeed6bf05871a3a9248d15ce949510837e44c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0628fd2-1d84-4ba8-a6ed-b11d79acae6d.vbs

Filesize
734B

MD5
1911ccb533cc97f8f02936e5eb540782

SHA1
5308411be75661d1702195763f2b38bd58ea2b16

SHA256
82ab7ff04ee70f6ba6af2a480c50fd7a3775db148f04151dc46fd1bf3a596dcc

SHA512
2b4032d13d02a354ba15fe8b1138d6e77fbb7608cef346e41dd10d4ae15855f57ddf0f3bfe757ca767b68ede76c5909a13db41392cea40680817f8061143179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f510a8f9-ee94-49ca-88a3-d756894f1490.vbs

Filesize
510B

MD5
f2a17e4248e77c4f90eef829a1d4ecb8

SHA1
c83fec8c531a88b0712f9c52cad974349c49ace4

SHA256
24ed7246cfee274f5672b477c87b9870190ba627b0278d35fece01f8cd253ebb

SHA512
68034b5e065897658a77a90b90dccff3c694370ddacb4498bb6bf1c5c053b279c9862a1cf013b2c6a2e6309d374f64fd40b3c1dcc0538b349861ac1ed2c34c03

Download Submit
memory/632-120-0x0000000000FE0000-0x0000000001182000-memory.dmp

Filesize
1.6MB

Download
memory/3592-79-0x000001FFE0880000-0x000001FFE08A2000-memory.dmp

Filesize
136KB

Download
memory/5568-1-0x00000000004A0000-0x0000000000642000-memory.dmp

Filesize
1.6MB

Download
memory/5568-84-0x00007FFFD1870000-0x00007FFFD2331000-memory.dmp

Filesize
10.8MB

Download
memory/5568-11-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/5568-12-0x000000001BB00000-0x000000001BB0A000-memory.dmp

Filesize
40KB

Download
memory/5568-13-0x000000001BB10000-0x000000001BB1E000-memory.dmp

Filesize
56KB

Download
memory/5568-14-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/5568-15-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/5568-16-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/5568-17-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/5568-10-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/5568-9-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/5568-4-0x000000001B900000-0x000000001B950000-memory.dmp

Filesize
320KB

Download
memory/5568-6-0x0000000002870000-0x0000000002886000-memory.dmp

Filesize
88KB

Download
memory/5568-8-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/5568-7-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

Filesize
32KB

Download
memory/5568-5-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/5568-3-0x0000000002740000-0x000000000275C000-memory.dmp

Filesize
112KB

Download
memory/5568-2-0x00007FFFD1870000-0x00007FFFD2331000-memory.dmp

Filesize
10.8MB

Download
memory/5568-0-0x00007FFFD1873000-0x00007FFFD1875000-memory.dmp

Filesize
8KB

Download