dcrat | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c870e41803c86f574d467de03b94d3a5.exe
Size

1.6MB
MD5

c870e41803c86f574d467de03b94d3a5
SHA1

400b9e869b220989490c27fde0cfab9870cf5bc9
SHA256

f1967d6c082848ffbdf221a89f81eb9755ac78c924bd642ddab409969e81a37a
SHA512

9cc4b7d1d438a0a06acb3edd0fa0f9b1fb96ef291637bc6e146d0ece96225063d277eed8b8ce560b467d65df009a9b0d35f1bcf2448b2a58f098157d495bfe4a
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3120	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3120	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/1332-1-0x0000000000FC0000-0x0000000001162000-memory.dmp	dcrat
behavioral14/files/0x0008000000024145-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe
2264	powershell.exe
1524	powershell.exe
3788	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	c870e41803c86f574d467de03b94d3a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 15 IoCs

pid	Process
4308	winlogon.exe
2176	winlogon.exe
1244	winlogon.exe
3328	winlogon.exe
1056	winlogon.exe
4048	winlogon.exe
1836	winlogon.exe
3176	winlogon.exe
2288	winlogon.exe
4432	winlogon.exe
3540	winlogon.exe
3408	winlogon.exe
4524	winlogon.exe
1256	winlogon.exe
2232	winlogon.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Windows\Performance\WinSAT\DataStore\3a60ebb9f59d71	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX8F92.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX8FA2.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe	c870e41803c86f574d467de03b94d3a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	c870e41803c86f574d467de03b94d3a5.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
1220	schtasks.exe
884	schtasks.exe
536	schtasks.exe
4572	schtasks.exe
2916	schtasks.exe
928	schtasks.exe
1432	schtasks.exe
4696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1332	c870e41803c86f574d467de03b94d3a5.exe
1332	c870e41803c86f574d467de03b94d3a5.exe
1332	c870e41803c86f574d467de03b94d3a5.exe
1332	c870e41803c86f574d467de03b94d3a5.exe
1332	c870e41803c86f574d467de03b94d3a5.exe
1524	powershell.exe
2264	powershell.exe
2264	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
3788	powershell.exe
3788	powershell.exe
1524	powershell.exe
1524	powershell.exe
2264	powershell.exe
3788	powershell.exe
4308	winlogon.exe
2176	winlogon.exe
1244	winlogon.exe
3328	winlogon.exe
3328	winlogon.exe
1056	winlogon.exe
4048	winlogon.exe
1836	winlogon.exe
3176	winlogon.exe
2288	winlogon.exe
4432	winlogon.exe
3540	winlogon.exe
3408	winlogon.exe
4524	winlogon.exe
4524	winlogon.exe
1256	winlogon.exe
2232	winlogon.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	c870e41803c86f574d467de03b94d3a5.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4308	winlogon.exe
Token: SeDebugPrivilege	2176	winlogon.exe
Token: SeDebugPrivilege	1244	winlogon.exe
Token: SeDebugPrivilege	3328	winlogon.exe
Token: SeDebugPrivilege	1056	winlogon.exe
Token: SeDebugPrivilege	4048	winlogon.exe
Token: SeDebugPrivilege	1836	winlogon.exe
Token: SeDebugPrivilege	3176	winlogon.exe
Token: SeDebugPrivilege	2288	winlogon.exe
Token: SeDebugPrivilege	4432	winlogon.exe
Token: SeDebugPrivilege	3540	winlogon.exe
Token: SeDebugPrivilege	3408	winlogon.exe
Token: SeDebugPrivilege	4524	winlogon.exe
Token: SeDebugPrivilege	1256	winlogon.exe
Token: SeDebugPrivilege	2232	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 3788	1332	c870e41803c86f574d467de03b94d3a5.exe	99
PID 1332 wrote to memory of 3788	1332	c870e41803c86f574d467de03b94d3a5.exe	99
PID 1332 wrote to memory of 1524	1332	c870e41803c86f574d467de03b94d3a5.exe	100
PID 1332 wrote to memory of 1524	1332	c870e41803c86f574d467de03b94d3a5.exe	100
PID 1332 wrote to memory of 2264	1332	c870e41803c86f574d467de03b94d3a5.exe	101
PID 1332 wrote to memory of 2264	1332	c870e41803c86f574d467de03b94d3a5.exe	101
PID 1332 wrote to memory of 4816	1332	c870e41803c86f574d467de03b94d3a5.exe	102
PID 1332 wrote to memory of 4816	1332	c870e41803c86f574d467de03b94d3a5.exe	102
PID 1332 wrote to memory of 60	1332	c870e41803c86f574d467de03b94d3a5.exe	107
PID 1332 wrote to memory of 60	1332	c870e41803c86f574d467de03b94d3a5.exe	107
PID 60 wrote to memory of 1588	60	cmd.exe	109
PID 60 wrote to memory of 1588	60	cmd.exe	109
PID 60 wrote to memory of 4308	60	cmd.exe	114
PID 60 wrote to memory of 4308	60	cmd.exe	114
PID 4308 wrote to memory of 3860	4308	winlogon.exe	115
PID 4308 wrote to memory of 3860	4308	winlogon.exe	115
PID 4308 wrote to memory of 372	4308	winlogon.exe	116
PID 4308 wrote to memory of 372	4308	winlogon.exe	116
PID 3860 wrote to memory of 2176	3860	WScript.exe	119
PID 3860 wrote to memory of 2176	3860	WScript.exe	119
PID 2176 wrote to memory of 1332	2176	winlogon.exe	120
PID 2176 wrote to memory of 1332	2176	winlogon.exe	120
PID 2176 wrote to memory of 1608	2176	winlogon.exe	121
PID 2176 wrote to memory of 1608	2176	winlogon.exe	121
PID 1332 wrote to memory of 1244	1332	WScript.exe	123
PID 1332 wrote to memory of 1244	1332	WScript.exe	123
PID 1244 wrote to memory of 3708	1244	winlogon.exe	125
PID 1244 wrote to memory of 3708	1244	winlogon.exe	125
PID 1244 wrote to memory of 208	1244	winlogon.exe	126
PID 1244 wrote to memory of 208	1244	winlogon.exe	126
PID 3708 wrote to memory of 3328	3708	WScript.exe	134
PID 3708 wrote to memory of 3328	3708	WScript.exe	134
PID 3328 wrote to memory of 5072	3328	winlogon.exe	135
PID 3328 wrote to memory of 5072	3328	winlogon.exe	135
PID 3328 wrote to memory of 3580	3328	winlogon.exe	136
PID 3328 wrote to memory of 3580	3328	winlogon.exe	136
PID 5072 wrote to memory of 1056	5072	WScript.exe	137
PID 5072 wrote to memory of 1056	5072	WScript.exe	137
PID 1056 wrote to memory of 4836	1056	winlogon.exe	138
PID 1056 wrote to memory of 4836	1056	winlogon.exe	138
PID 1056 wrote to memory of 4696	1056	winlogon.exe	139
PID 1056 wrote to memory of 4696	1056	winlogon.exe	139
PID 4836 wrote to memory of 4048	4836	WScript.exe	140
PID 4836 wrote to memory of 4048	4836	WScript.exe	140
PID 4048 wrote to memory of 2064	4048	winlogon.exe	141
PID 4048 wrote to memory of 2064	4048	winlogon.exe	141
PID 4048 wrote to memory of 1064	4048	winlogon.exe	142
PID 4048 wrote to memory of 1064	4048	winlogon.exe	142
PID 2064 wrote to memory of 1836	2064	WScript.exe	143
PID 2064 wrote to memory of 1836	2064	WScript.exe	143
PID 1836 wrote to memory of 5040	1836	winlogon.exe	144
PID 1836 wrote to memory of 5040	1836	winlogon.exe	144
PID 1836 wrote to memory of 4380	1836	winlogon.exe	145
PID 1836 wrote to memory of 4380	1836	winlogon.exe	145
PID 5040 wrote to memory of 3176	5040	WScript.exe	146
PID 5040 wrote to memory of 3176	5040	WScript.exe	146
PID 3176 wrote to memory of 2968	3176	winlogon.exe	147
PID 3176 wrote to memory of 2968	3176	winlogon.exe	147
PID 3176 wrote to memory of 3508	3176	winlogon.exe	148
PID 3176 wrote to memory of 3508	3176	winlogon.exe	148
PID 2968 wrote to memory of 2288	2968	WScript.exe	150
PID 2968 wrote to memory of 2288	2968	WScript.exe	150
PID 2288 wrote to memory of 5008	2288	winlogon.exe	151
PID 2288 wrote to memory of 5008	2288	winlogon.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe
"C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfnS8a2pAv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1588
- - C:\Users\Public\Desktop\winlogon.exe
    "C:\Users\Public\Desktop\winlogon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63729a0a-bee7-4d65-a170-79fa4d1bab89.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4aaa4d-c216-4c9c-b362-982abc873558.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccae3780-1ec2-446d-b4c8-1a37408dc802.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13de99af-c135-4532-bf88-b9728ada1671.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f71fc3d-42f7-4995-882a-bc0db818858c.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee4f19c-36d1-482b-b70d-75e9984128c6.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae92fad-e8a4-4677-bed4-f8217d3929b4.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4feeba7-7e18-4fa4-9fbf-a383c2aa2f66.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e22d8651-c89c-4ab9-bd9e-efbc43efa800.vbs"
        20⤵
        
        PID:5008
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a690f6f7-7ce1-494e-9f19-1084ecdbb953.vbs"
        22⤵
        
        PID:4744
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f74139e-72a5-461c-9787-cd0fabc86968.vbs"
        24⤵
        
        PID:3584
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab4a9987-b610-47d5-ab18-d16c28dc9058.vbs"
        26⤵
        
        PID:3172
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855fa44c-da9f-4f6e-bb55-87689e50813d.vbs"
        28⤵
        
        PID:1564
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f58f3ea-3509-4538-997f-f4a78316f37a.vbs"
        30⤵
        
        PID:1520
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71d710c2-998d-40c4-9723-1f46dbd580c2.vbs"
        32⤵
        
        PID:2652
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        33⤵
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5fba054-568c-40c9-8682-de7e2ff0d3ee.vbs"
        32⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00603f79-2d7c-47c3-9a5b-d614a6ced512.vbs"
        30⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88873e8-e5a0-4369-abf9-d8f3d723020b.vbs"
        28⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bd5ce02-1d23-46fa-ad76-1e88ff7f8baf.vbs"
        26⤵
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\273c9ef2-8885-42b5-8e86-0b514ed94d18.vbs"
        24⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccfbb125-2b50-4509-a6c9-023ba6ccd83a.vbs"
        22⤵
        
        PID:3924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\497f5a38-8dbe-488c-903b-9f018314483b.vbs"
        20⤵
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\588dd94e-f83a-43ba-8ba0-f17a8cc2645d.vbs"
        18⤵
        
        PID:3508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caf45a13-09f4-4c9f-a654-5b5731d42a8d.vbs"
        16⤵
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c6db266-19d2-4387-8aef-182390d0f5e5.vbs"
        14⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\337fe7d7-e2b2-4d61-8b75-bb920d19775f.vbs"
        12⤵
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cbd22fc-c04a-4725-8c3a-e100b827fc00.vbs"
        10⤵
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de0e6c8a-b2b4-48cb-b1b5-a6125587f268.vbs"
        8⤵
        
        PID:208
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcde3d0a-24bb-431b-9151-ff50997419c8.vbs"
        6⤵
        
        PID:1608
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6c9b891-734c-46b6-8934-b9dfaf6d882f.vbs"
      4⤵
      PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c870e41803c86f574d467de03b94d3a5c" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c870e41803c86f574d467de03b94d3a5" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c870e41803c86f574d467de03b94d3a5c" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\c870e41803c86f574d467de03b94d3a5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\13de99af-c135-4532-bf88-b9728ada1671.vbs

Filesize
712B

MD5
98e58d4065613793d6dec4b1436d1f55

SHA1
6aa264e11e94dfe03abdec60f0de796f766827cd

SHA256
a1ae70d4b5b631eff431d3696a007b2053c0476102b8a0bf5ea8a2f976665242

SHA512
7c19ab1dac927ee9016aef4ea53fa4ef11bc73adfddcf5248a01fd2763257e46d263402b18120c1e4b3a74e6dd3e10393693808eb07eaed7b33fa70891a75994

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f58f3ea-3509-4538-997f-f4a78316f37a.vbs

Filesize
712B

MD5
65827b29a48754d72a070437a1e9e9b4

SHA1
ae7fd57c21dcf114894ceee224c91d616604068a

SHA256
77e3ead016afe4b3665f82565a5546bdd8607f7be4c2e10b069a5473cf71727d

SHA512
00a63ebb84f2eaac5039699963d3db3da9025c3ae74a8b1bbd1313086bae6c04dd1d4985c25916338691a9c200a9b5d081393cf3b0e6db9f26390792b1739e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f74139e-72a5-461c-9787-cd0fabc86968.vbs

Filesize
712B

MD5
97de802883103b936615c87e7e1f6de3

SHA1
8207b219296d08108ecf09299e8443e00829372e

SHA256
c8e55a38d8d2dc6484d2e5718a58d21d468b51d1d82153e7aedd87e541b63cd6

SHA512
b2a371fd82b4f6465cc5b3989f47fa522266f63d57eaa1ffd5e155fc9493aea4bb19641186b5e76bbcba495f589f906c02768e3062a06e6a89a74a3435e61b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f71fc3d-42f7-4995-882a-bc0db818858c.vbs

Filesize
712B

MD5
4ea7fb591ed22980e89d89ca5eb4ad52

SHA1
af2f33b6a24e6dc7765c7095276d7ada783dd323

SHA256
be5e5397e45b762c3eadb65a22089a72aa5b4fcd558a980ccd1d00cfa5db7c17

SHA512
c626659243cb28a50d1d0c9087f24cce2ed0d3be3eb3859f1c5e5b6c02230c45af043c10db5cc86799b30cdbdbc932ea1438fb69c367e4eaeae159a07b57c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\63729a0a-bee7-4d65-a170-79fa4d1bab89.vbs

Filesize
712B

MD5
60cc14adcd17395099c08c2738540e87

SHA1
e3cb0513b96de587a031892674cb78e093de7ee7

SHA256
7db2038d1c08565bcf5ac0f8629cb223d4414d7c781fde4c278db9df8e8cce64

SHA512
ff3e2cacb0d271eb0bf440cc5d2943ae98b8e8a5402bf94958a9e7cedf33996f3615a6f4b58865301ef57d441cbc7b68236c745394ce7a6bb99418c0ccebbb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ae92fad-e8a4-4677-bed4-f8217d3929b4.vbs

Filesize
712B

MD5
d6a7ad7940c93a4392a9137193a207ca

SHA1
e64be5cb1969dcf7ee459cb1437c728b7cd698ec

SHA256
3e7d2d64f505a0fcde90a125eb4d82ce82c222749a3948a9cac5e6a6c47021aa

SHA512
b9e2164525d70eebc583f240a19c3e059344ad5bca4e9e6786779e5c554714256812c2e886c6a3c46480c7f83102f00fa267368ea3ca7aa147a6d4e3bfadd6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\855fa44c-da9f-4f6e-bb55-87689e50813d.vbs

Filesize
712B

MD5
bf96d9105dd0f2518d5c80db45de1231

SHA1
5df0a7ca5eb24d319df750689b870a04299c2a53

SHA256
78587282797d8e832c0bb59b254fab633c3555e101f392a4283cf766e27ab88f

SHA512
8253cf661998de42d3880d543f7abdeeb3e6701ab3822c32682245b36b049ef2ebac7ba355b2be862cd66b0f372aa14de3207266be0d05bccacff3304cb5a3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfnS8a2pAv.bat

Filesize
201B

MD5
b66a52c6fed059a77a1fc0e4a7d4cd5b

SHA1
c50260bf5983489f9319c70a7aa8fd32d9551d2a

SHA256
8269cea940a54867774678b46ba133e8503841487b98a0a0244f899f803b0c5b

SHA512
1762f138c52e8dd15165a489bff33fbdfe966b3f957ca6e735294eec9ffcc2dcd7db219c18d653c3d03abb7538e094bb281851e5b6be0c8da6386f67df2aba7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX8B68.tmp

Filesize
1.6MB

MD5
c870e41803c86f574d467de03b94d3a5

SHA1
400b9e869b220989490c27fde0cfab9870cf5bc9

SHA256
f1967d6c082848ffbdf221a89f81eb9755ac78c924bd642ddab409969e81a37a

SHA512
9cc4b7d1d438a0a06acb3edd0fa0f9b1fb96ef291637bc6e146d0ece96225063d277eed8b8ce560b467d65df009a9b0d35f1bcf2448b2a58f098157d495bfe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2iwvdncf.q2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a690f6f7-7ce1-494e-9f19-1084ecdbb953.vbs

Filesize
712B

MD5
6d826af3597f76619ddbbecc5bcff7d9

SHA1
9e804249627bf8292974774eb5b34a88e02140fb

SHA256
612c85a0204b7d67cea1281f5220aaf4c2f0f363f7d2856c949e37c2586cc50e

SHA512
0f5b9380d61a5472b50ffa2dd4a911b08dc9d7d3281f44fd65e79fff75b1971b1b9dfc1373ceadfe9e408f42583075c1fb4b46fc3e1c7bfad21ea789773c33c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab4a9987-b610-47d5-ab18-d16c28dc9058.vbs

Filesize
712B

MD5
916bd061a9d8240fb0c4e62ea58cef82

SHA1
fcbf731987275a0077c7aa887e48ae15ac0dfaf3

SHA256
c69fcacc6f02bb299c19df533892efce7ed4d85b6338c570cf2fde9ce471f404

SHA512
3ee2ddb591f3d03fc26246ab90f3616d1ea5b0a31f7371daf0bf9dcdb7326a3cc61c49990d52a8e5efe7918aea4154b8d075a30a4fef6034d778250d711d51e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc4aaa4d-c216-4c9c-b362-982abc873558.vbs

Filesize
712B

MD5
a58ddaf923f15f2188575e1c2b26f8df

SHA1
447b70ff9aa8f058b5cfce4eec11bb7bbeb12a27

SHA256
a5155ba616f05fbb0fa3713ef9c9a6f4906956913f9046466c34938c589f3cac

SHA512
5e25e607af7cf4998fb72eecec8d919f836f07e7b0112b0be6722c9e9422da191044fd8e5c955a3f8f7a2e9307cfed275f09e29646385196805610cba4736c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccae3780-1ec2-446d-b4c8-1a37408dc802.vbs

Filesize
712B

MD5
472f2cd8cc731097cdd073186aad2cb3

SHA1
60c1714de7104998cf6cc8c3872f2397e9190443

SHA256
eb7127883236c28bfd3072d07e45d4994c6121920053034194c3cafb5e840ee4

SHA512
57ef958592225ceda7f51fb945ab24202de718e6a7519a21851b6cd5a0c4dfc439ae0a3cbda45cea1699b100778919d9908f20b1d2db5871da38eb27983cafcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cee4f19c-36d1-482b-b70d-75e9984128c6.vbs

Filesize
712B

MD5
8b92fe203c015e37634b9cfb7a076e3f

SHA1
c8a78a0f36fdf15895015996f9870597ad665b9d

SHA256
ad27b0efb80c68f01e87ca70db4b495bda6ebc5375cbde0b27496d4c8e51177c

SHA512
d5740c661739d938395c221f21448fd379eb4d22c41272a42d4d992ad1ebb02bd71c942f99fced13b72f96e0cd1fbaf87afd53049022220327eb8087b74ccc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4feeba7-7e18-4fa4-9fbf-a383c2aa2f66.vbs

Filesize
712B

MD5
258fe448a04437f1b24aaffda8fc1cb4

SHA1
77fef67dcf576b61c4b422dc9c207007029cf224

SHA256
9744139ce561b5dae65f336bd4662fc61e699dba64feaca2bf9bdce17d484021

SHA512
dc422af70138c501bcf41d77674917f3d88dbdabf930714a16a1a16d2076dd992b7d6cea5b7a4e412c204b951f175c1a4d4ff47f8c3dce53c8ec5c6aa9bb7fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e22d8651-c89c-4ab9-bd9e-efbc43efa800.vbs

Filesize
712B

MD5
40d17439c14c1d075276ca3ea8a94dfc

SHA1
a5513a50bd11732a2a876b83f8f12d30b9cedf91

SHA256
c8e295e4180bccde85facd1e0dd10682215c1093d681bb46378e961279457fe1

SHA512
640dabbfb73bce75e7ecf74a6bfc999e3139729fb2e2ae612ce5a8defdb913e7951963cdccc4cf2e84b6ac3d4dcff9c5a3b0056ddef0eaf21d279661f3ea5e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6c9b891-734c-46b6-8934-b9dfaf6d882f.vbs

Filesize
488B

MD5
3139f219ba52828e9aa8bbba73bcd1b8

SHA1
d9ee52f12b97dfdfc2077549aff22ab2e289ea60

SHA256
6ca00803b49a4b71d09654aaefd99e8671bb098d870432c8e8481682ee5ddd47

SHA512
97f8562ad736bf495be8860a92f48b192b7c3f6bef394f88f7d185ae0adb6d25401fcf56a307296c4504aa9a609187a1217a4ce3e443f76a4cb504ba83447780

Download Submit
memory/1332-6-0x00000000033A0000-0x00000000033B6000-memory.dmp

Filesize
88KB

Download
memory/1332-11-0x00000000035E0000-0x00000000035EC000-memory.dmp

Filesize
48KB

Download
memory/1332-1-0x0000000000FC0000-0x0000000001162000-memory.dmp

Filesize
1.6MB

Download
memory/1332-14-0x0000000003610000-0x0000000003618000-memory.dmp

Filesize
32KB

Download
memory/1332-15-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

Filesize
32KB

Download
memory/1332-16-0x000000001BF00000-0x000000001BF0A000-memory.dmp

Filesize
40KB

Download
memory/1332-17-0x000000001C660000-0x000000001C66C000-memory.dmp

Filesize
48KB

Download
memory/1332-12-0x00000000035F0000-0x00000000035FA000-memory.dmp

Filesize
40KB

Download
memory/1332-13-0x0000000003600000-0x000000000360E000-memory.dmp

Filesize
56KB

Download
memory/1332-96-0x00007FFF45AD0000-0x00007FFF46591000-memory.dmp

Filesize
10.8MB

Download
memory/1332-0-0x00007FFF45AD3000-0x00007FFF45AD5000-memory.dmp

Filesize
8KB

Download
memory/1332-10-0x0000000003560000-0x000000000356C000-memory.dmp

Filesize
48KB

Download
memory/1332-9-0x0000000003550000-0x0000000003558000-memory.dmp

Filesize
32KB

Download
memory/1332-8-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/1332-7-0x00000000033C0000-0x00000000033C8000-memory.dmp

Filesize
32KB

Download
memory/1332-3-0x0000000003370000-0x000000000338C000-memory.dmp

Filesize
112KB

Download
memory/1332-4-0x00000000033E0000-0x0000000003430000-memory.dmp

Filesize
320KB

Download
memory/1332-5-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/1332-2-0x00007FFF45AD0000-0x00007FFF46591000-memory.dmp

Filesize
10.8MB

Download
memory/1524-79-0x00000201A6A20000-0x00000201A6A42000-memory.dmp

Filesize
136KB

Download