dcrat | 249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de85b03bebfb919df53912cb0ca84af7.exe
Size

1.6MB
MD5

de85b03bebfb919df53912cb0ca84af7
SHA1

336bd7b1faf7e3cddb45c071ff5f5d6d64f94fb9
SHA256

5c7f27a1cc7422a66ac2e509f12015bff8fe6db6c09bbd293944fd5b736270da
SHA512

ed2c9fbc59c21d07d1894b189569b8539a4a05e94df4a9af1608a4580c90247b011792334a9b08040eefd71d7130ae76019e0ef55a85c56dde12642dcc1564ef
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	208	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/1720-1-0x00000000004C0000-0x0000000000662000-memory.dmp	dcrat
behavioral12/files/0x0007000000024158-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3792	powershell.exe
632	powershell.exe
1144	powershell.exe
2288	powershell.exe
5044	powershell.exe
3544	powershell.exe
4412	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	de85b03bebfb919df53912cb0ca84af7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 14 IoCs

pid	Process
4960	System.exe
3012	System.exe
1828	System.exe
3000	System.exe
3780	System.exe
4688	System.exe
2832	System.exe
2820	System.exe
216	System.exe
4560	System.exe
1888	System.exe
5032	System.exe
4820	System.exe
3296	System.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\RCXBB99.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Windows\addins\SppExtComObj.exe	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Windows\addins\e1ef82546f0b02	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\addins\RCXB703.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\Globalization\RCXBBAA.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\Globalization\lsass.exe	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Windows\Globalization\lsass.exe	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Windows\Globalization\6203df4a6bafc7	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\addins\RCXB702.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\addins\SppExtComObj.exe	de85b03bebfb919df53912cb0ca84af7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	de85b03bebfb919df53912cb0ca84af7.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4076	schtasks.exe
3824	schtasks.exe
3500	schtasks.exe
1096	schtasks.exe
3056	schtasks.exe
860	schtasks.exe
212	schtasks.exe
2260	schtasks.exe
696	schtasks.exe
4948	schtasks.exe
1640	schtasks.exe
1888	schtasks.exe
1032	schtasks.exe
4780	schtasks.exe
3348	schtasks.exe
2192	schtasks.exe
1648	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1720	de85b03bebfb919df53912cb0ca84af7.exe
1720	de85b03bebfb919df53912cb0ca84af7.exe
1720	de85b03bebfb919df53912cb0ca84af7.exe
1720	de85b03bebfb919df53912cb0ca84af7.exe
1720	de85b03bebfb919df53912cb0ca84af7.exe
3544	powershell.exe
3544	powershell.exe
4412	powershell.exe
4412	powershell.exe
632	powershell.exe
632	powershell.exe
5044	powershell.exe
5044	powershell.exe
3792	powershell.exe
3792	powershell.exe
2288	powershell.exe
2288	powershell.exe
1144	powershell.exe
1144	powershell.exe
632	powershell.exe
4412	powershell.exe
3544	powershell.exe
5044	powershell.exe
2288	powershell.exe
3792	powershell.exe
1144	powershell.exe
4960	System.exe
3012	System.exe
1828	System.exe
3000	System.exe
3000	System.exe
3780	System.exe
4688	System.exe
2832	System.exe
2820	System.exe
216	System.exe
4560	System.exe
1888	System.exe
5032	System.exe
3296	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	de85b03bebfb919df53912cb0ca84af7.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	4960	System.exe
Token: SeDebugPrivilege	3012	System.exe
Token: SeDebugPrivilege	1828	System.exe
Token: SeDebugPrivilege	3000	System.exe
Token: SeDebugPrivilege	3780	System.exe
Token: SeDebugPrivilege	4688	System.exe
Token: SeDebugPrivilege	2832	System.exe
Token: SeDebugPrivilege	2820	System.exe
Token: SeDebugPrivilege	216	System.exe
Token: SeDebugPrivilege	4560	System.exe
Token: SeDebugPrivilege	1888	System.exe
Token: SeDebugPrivilege	5032	System.exe
Token: SeDebugPrivilege	3296	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3792	1720	de85b03bebfb919df53912cb0ca84af7.exe	110
PID 1720 wrote to memory of 3792	1720	de85b03bebfb919df53912cb0ca84af7.exe	110
PID 1720 wrote to memory of 4412	1720	de85b03bebfb919df53912cb0ca84af7.exe	111
PID 1720 wrote to memory of 4412	1720	de85b03bebfb919df53912cb0ca84af7.exe	111
PID 1720 wrote to memory of 3544	1720	de85b03bebfb919df53912cb0ca84af7.exe	112
PID 1720 wrote to memory of 3544	1720	de85b03bebfb919df53912cb0ca84af7.exe	112
PID 1720 wrote to memory of 5044	1720	de85b03bebfb919df53912cb0ca84af7.exe	113
PID 1720 wrote to memory of 5044	1720	de85b03bebfb919df53912cb0ca84af7.exe	113
PID 1720 wrote to memory of 2288	1720	de85b03bebfb919df53912cb0ca84af7.exe	114
PID 1720 wrote to memory of 2288	1720	de85b03bebfb919df53912cb0ca84af7.exe	114
PID 1720 wrote to memory of 1144	1720	de85b03bebfb919df53912cb0ca84af7.exe	115
PID 1720 wrote to memory of 1144	1720	de85b03bebfb919df53912cb0ca84af7.exe	115
PID 1720 wrote to memory of 632	1720	de85b03bebfb919df53912cb0ca84af7.exe	116
PID 1720 wrote to memory of 632	1720	de85b03bebfb919df53912cb0ca84af7.exe	116
PID 1720 wrote to memory of 4960	1720	de85b03bebfb919df53912cb0ca84af7.exe	124
PID 1720 wrote to memory of 4960	1720	de85b03bebfb919df53912cb0ca84af7.exe	124
PID 4960 wrote to memory of 3492	4960	System.exe	126
PID 4960 wrote to memory of 3492	4960	System.exe	126
PID 4960 wrote to memory of 3088	4960	System.exe	127
PID 4960 wrote to memory of 3088	4960	System.exe	127
PID 3492 wrote to memory of 3012	3492	WScript.exe	130
PID 3492 wrote to memory of 3012	3492	WScript.exe	130
PID 3012 wrote to memory of 1364	3012	System.exe	131
PID 3012 wrote to memory of 1364	3012	System.exe	131
PID 3012 wrote to memory of 4244	3012	System.exe	132
PID 3012 wrote to memory of 4244	3012	System.exe	132
PID 1364 wrote to memory of 1828	1364	WScript.exe	134
PID 1364 wrote to memory of 1828	1364	WScript.exe	134
PID 1828 wrote to memory of 4592	1828	System.exe	135
PID 1828 wrote to memory of 4592	1828	System.exe	135
PID 1828 wrote to memory of 3284	1828	System.exe	136
PID 1828 wrote to memory of 3284	1828	System.exe	136
PID 4592 wrote to memory of 3000	4592	WScript.exe	145
PID 4592 wrote to memory of 3000	4592	WScript.exe	145
PID 3000 wrote to memory of 1052	3000	System.exe	146
PID 3000 wrote to memory of 1052	3000	System.exe	146
PID 3000 wrote to memory of 3668	3000	System.exe	147
PID 3000 wrote to memory of 3668	3000	System.exe	147
PID 1052 wrote to memory of 3780	1052	WScript.exe	148
PID 1052 wrote to memory of 3780	1052	WScript.exe	148
PID 3780 wrote to memory of 4208	3780	System.exe	149
PID 3780 wrote to memory of 4208	3780	System.exe	149
PID 3780 wrote to memory of 2596	3780	System.exe	150
PID 3780 wrote to memory of 2596	3780	System.exe	150
PID 4208 wrote to memory of 4688	4208	WScript.exe	151
PID 4208 wrote to memory of 4688	4208	WScript.exe	151
PID 4688 wrote to memory of 1352	4688	System.exe	152
PID 4688 wrote to memory of 1352	4688	System.exe	152
PID 4688 wrote to memory of 4164	4688	System.exe	153
PID 4688 wrote to memory of 4164	4688	System.exe	153
PID 1352 wrote to memory of 2832	1352	WScript.exe	154
PID 1352 wrote to memory of 2832	1352	WScript.exe	154
PID 2832 wrote to memory of 3964	2832	System.exe	155
PID 2832 wrote to memory of 3964	2832	System.exe	155
PID 2832 wrote to memory of 3772	2832	System.exe	156
PID 2832 wrote to memory of 3772	2832	System.exe	156
PID 3964 wrote to memory of 2820	3964	WScript.exe	157
PID 3964 wrote to memory of 2820	3964	WScript.exe	157
PID 2820 wrote to memory of 860	2820	System.exe	158
PID 2820 wrote to memory of 860	2820	System.exe	158
PID 2820 wrote to memory of 4236	2820	System.exe	159
PID 2820 wrote to memory of 4236	2820	System.exe	159
PID 860 wrote to memory of 216	860	WScript.exe	161
PID 860 wrote to memory of 216	860	WScript.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe
"C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Recovery\WindowsRE\System.exe
  "C:\Recovery\WindowsRE\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3adc45-f27e-487a-a216-a64619ee70e3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Recovery\WindowsRE\System.exe
      C:\Recovery\WindowsRE\System.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b798290-7651-4e58-a5af-bcfd15d125c3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a17ba281-4588-47f4-9fd6-c2f0611c4420.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b507e263-324b-492f-87ba-dad5c2b47464.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba96859-fb71-4928-8598-932832c33b8a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90b479f-24fa-4d38-a47e-afb1c66c76ca.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d777897-9b00-4046-8993-223a636bbbd8.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\750f38d7-dbd1-4d56-aac2-1a430bdc730c.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b57fbc-689a-4740-b50e-58d2b6928d1a.vbs"
        19⤵
        
        PID:4700
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f4f799-372d-47c7-afcc-0e4d59ef35c8.vbs"
        21⤵
        
        PID:2632
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3529f770-5bf0-4a0e-b0b1-d984a3511daa.vbs"
        23⤵
        
        PID:1096
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\302764cf-d17c-4807-8e85-d93aa08c6892.vbs"
        25⤵
        
        PID:4044
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a98956d-41af-4642-9fd2-d2fdddb5a45b.vbs"
        27⤵
        
        PID:2900
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\149323c1-25b1-474a-9585-a481acc48803.vbs"
        29⤵
        
        PID:2184
        
        C:\Recovery\WindowsRE\System.exe
        
        C:\Recovery\WindowsRE\System.exe
        30⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e042c4da-4511-4acc-8e9b-54b8f046aa46.vbs"
        31⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7a0072-314b-474c-a3e5-b64c35d002cb.vbs"
        31⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dc3aab3-edbb-403f-a048-b19df3ca3b52.vbs"
        29⤵
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b14d5cae-02f7-4fa6-bf67-7b9d04ffd4b6.vbs"
        27⤵
        
        PID:4788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0863acb-9b69-4b7a-88a8-ca5031832c59.vbs"
        25⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c843655c-902d-4b95-92e9-a0f80195a70a.vbs"
        23⤵
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\347bb579-3810-4b1f-98e4-3e5607da43da.vbs"
        21⤵
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6d80a8f-1a94-4ca2-824c-03b0ab2d5fb8.vbs"
        19⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39575a7c-e716-4d6e-948f-e2426445f44f.vbs"
        17⤵
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1da32a0-98f2-4ec4-b6af-5cfbb183cc80.vbs"
        15⤵
        
        PID:3772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a726bf9-8051-4ef9-be25-222e85071fb1.vbs"
        13⤵
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98d144e0-bc33-4cce-bd4b-62822651a490.vbs"
        11⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27453943-be47-4dfb-a0e9-6137283a7f03.vbs"
        9⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40983b50-33b9-4ace-bc55-59696868a228.vbs"
        7⤵
        
        PID:3284
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6917a591-e17b-4d4f-8f31-bb014e5dc796.vbs"
        5⤵
        
        PID:4244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c91bfcc-88ed-4f60-b9a8-ec19091a164e.vbs"
    3⤵
    PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\addins\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Globalization\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44ae12563d9f97ac1136baee629673df

SHA1
38790549497302c43bd3ff6c5225e8c7054829e2

SHA256
b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

SHA512
07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Temp\07f4f799-372d-47c7-afcc-0e4d59ef35c8.vbs

Filesize
708B

MD5
4dab95e8d51b1e2a1df9250aa068681e

SHA1
bc8c9480e192c01c8fef06b522761dcb2797b2c0

SHA256
2afba900e98f86d5eb386189d8ff90176bf41af3a8af46a21dc6e71d4b478453

SHA512
e895a0ed1207ba6414671b8415c5e72111fe5416fecb080fc14603fb89f1085eb77e930fc541c782ac4e2dca7c83ad5d6b99493c2967657ac4197f9edd06ef88

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d777897-9b00-4046-8993-223a636bbbd8.vbs

Filesize
708B

MD5
e8dc636cc04b38235d4932cd347837e6

SHA1
29093730f63e0b21ae204a940b037178b445e7e6

SHA256
86c70e9c1584ffa9aa31f36b00256471eae7f7841338b50ac6ed49e503788f8b

SHA512
85876a8dc017d142375ee0c1b23cf4cfc750e5ad898c6afd68ffd0eb0782ecfbf6d1c18382fab489d33434169c8539ae887c234932adbe16877818f90e71b86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\149323c1-25b1-474a-9585-a481acc48803.vbs

Filesize
708B

MD5
516a9b3d73a2a1111e59c23e332faea8

SHA1
8aed63cf6db2600f69aae15dd76f44d7090dc6e8

SHA256
d377625bc6c864d5da2efbda854d9cea13fac2907a88db6b5efbfa8225859d9c

SHA512
a16daac3a74bb39cf49c006092e8c0a5da5f960d5300bbea0d34e1f02a0127cec859a0e8e9622a04c3131f88f65b02a00f947977eff08fbf8b53c721e630343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b798290-7651-4e58-a5af-bcfd15d125c3.vbs

Filesize
708B

MD5
e771adcb1d6d00c6926c1d0dcb336bbf

SHA1
883203d2085e1b0a6e16b0e10a1b8e1be58f5374

SHA256
e9e67743c4a784445888a665576794121ffee3f09e42ad786f606314bc0ec5fc

SHA512
5968f195560dabffccbef455d080b2f603ad200a894ca5d1e3571a023c89033ad48a7b15801988d9b983f0a09c8f4ba639f861c066a3db4c701699af1f4aa381

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c3adc45-f27e-487a-a216-a64619ee70e3.vbs

Filesize
708B

MD5
77df85f52d2f31d83b700261f8ec1aaf

SHA1
d759c856811c7e1703f9d1eb43513d83f5134a04

SHA256
7953fee049af8d350b2769cdce931af4ab265485f51d2a5c66e66fff296738be

SHA512
f267707fea3553c96bd161bf1a0054b19ef309947ccf4bd7b5ac87df3dc395ef1fcc3a1c687a562763630c69251653685e2b818a530c2afb1c8db4d99289908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\302764cf-d17c-4807-8e85-d93aa08c6892.vbs

Filesize
708B

MD5
ebb33d12e00ff6303e3cfd6d9a905334

SHA1
71f048e09125345bbae9848191785b19b5f23a1e

SHA256
1aa627bd1a74d20203722a2ff9affeff7ca0d4ffb66e96dd15dcdc3a04dcff99

SHA512
deb2a14f3c57e2dec591285e2591ce1b7dbba52d5e9d20f72f4577364bc1db8fa9b8e7737f0c739f83e8a6a533357a0016d40db35efdabcf1b74cdc8dcc8845b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3529f770-5bf0-4a0e-b0b1-d984a3511daa.vbs

Filesize
708B

MD5
636cdc6bd772336b1b5e71cc49b64cac

SHA1
26239af1d1b703ea4f64ea7982c8559ce02c5179

SHA256
e57e97a4a97514bf9afa74121f52799b02c3f61e1830601d92b2bd31b038c9d9

SHA512
51cb82017c18cc3d37b65ed22ff31987c38671380b24207657a90cdd540cfa2a0a7c98e1cb3188eff97830dbea4c88ecb68e9e96b436e33b4270330dd11eee6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c91bfcc-88ed-4f60-b9a8-ec19091a164e.vbs

Filesize
484B

MD5
67477972222fd9824dd406738e500bca

SHA1
ccd49f36e6c57690fe95d98793173367d292132f

SHA256
94e900698e63de9447024dc4295e7b07b7e4b3acd200370066a2aeb5644d339f

SHA512
8a9435195eeeb34316b52f7edc7bf6e653172335c31036c2a00ad2cb2f5862b1715a6d5c6a1a73ebc551fdcbe1bc85427d114a189cb1e8de91a92bca11f3f671

Download Submit
C:\Users\Admin\AppData\Local\Temp\750f38d7-dbd1-4d56-aac2-1a430bdc730c.vbs

Filesize
708B

MD5
d1f22e2f547f6d7ab0564ea3879be232

SHA1
24b7faddc5adf2a4f1ccb87b971cb4b076b72d9f

SHA256
03101be8c9a9e6f58fce85a267eee3054bcf527d9b7b78f512f0e0f056150d3d

SHA512
1265e8b6dca2ff6b50c5f16e891014a60e069eb6393decca6f26f849734d4bbf69af01a9d15ea1befc27938a500f23651086d40d5893d4afc82ad0d43c9dcdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12mp42od.eqy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a17ba281-4588-47f4-9fd6-c2f0611c4420.vbs

Filesize
708B

MD5
75fc38fc8ad99e1c888d1cd6c43fa162

SHA1
935768ac8a13bf3cfe7752247f8fb71b12d76a2c

SHA256
e02cd127b738f1bb9726fe63a35985bf755dc02a3e7960b8574a09a090fb3d8a

SHA512
343ba67533f2d6d8905a6767b318086d093e5dafcc6b25d592a568e212ee4fdd85426b1f34919ef1df45b76abc1d057b788ba268b1932e6043f8ce92a5950493

Download Submit
C:\Users\Admin\AppData\Local\Temp\b507e263-324b-492f-87ba-dad5c2b47464.vbs

Filesize
708B

MD5
3dfda34e1aafe7636b079b66c9393504

SHA1
6a5a1ff9371baf7caf21bc76c5c423c153276824

SHA256
ff43edc4cb3a1cbb0cd5d69ece748a991a850d2b7263df8f7e09c4fce5a704e7

SHA512
c8f09f15a45f317ee3f651afd1c3767909f844192f32d9a4962c07a60b6a4d248435518be1cb8196d15626e8860dfc648ce0c8edbec8563890884702f85ea4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bba96859-fb71-4928-8598-932832c33b8a.vbs

Filesize
708B

MD5
dbcc77ea2a495812be1fdda0de4f0774

SHA1
f09373414768c022b1750e771121bc8f12253a18

SHA256
54c3a2a900342a60fa234c5de6333fd36e43ac673401816fde487a3fbfa53c5d

SHA512
ff0e4ca28454ae44c6f8ac0556247c75573560141220938a3e7724c08c2a57aabb877469dc723876e64b82730d159c2719b0b7dc96c1f72b078ec967d31721c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c90b479f-24fa-4d38-a47e-afb1c66c76ca.vbs

Filesize
708B

MD5
3ff69e67d89980bc14d611072abdf4e8

SHA1
59449e98d8e7440f226e6bd16477853f7dc5636d

SHA256
50c94751ca73e00c7deb2c9bcb5a3e85fe1a7c6f2a9b0f28b2f84def3621c070

SHA512
03655f5d71e4cfd32987c1100c80939aa546a7406d09407bb113f22ac0114adf1a52ffdd4fe1a23ba156908cc546f1e1b05228a18bf02b578e446eb8626bee68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6b57fbc-689a-4740-b50e-58d2b6928d1a.vbs

Filesize
707B

MD5
6ae5c5c1b1ee868bd41cf3952fc8a0d4

SHA1
3ea319d715768bbfda05df7ce5b83ede3a5f2499

SHA256
8596db2d8cf2f53b09bf02927cb0928e3e36cca50c71e069787f5ee2a40314cc

SHA512
42ee1afea096a7cb2cafcacf05db0665746569e4b71e7095015f42efe22612e8bf21a05c5d1043aa384c369c354d1f4436a939d421ab35e9e1a5724e0e1f763b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e042c4da-4511-4acc-8e9b-54b8f046aa46.vbs

Filesize
708B

MD5
dc0dbafee8d1d29370abd6032198e6c9

SHA1
bb74714fc82ed684b31ed5851a07d7b2d5b59656

SHA256
4853f3331b73f1bc0ba21cc2a467103748612def047201586ceb0fc23a8e5ae3

SHA512
677609e221c87dfa660ce7af5289a24687d9d29868fa1aa32982335be00109c6d0ac7a554b3f92d85b032f64a38d1cecd816766b45c48304d62bca5d25d8e1de

Download Submit
C:\Windows\Globalization\lsass.exe

Filesize
1.6MB

MD5
de85b03bebfb919df53912cb0ca84af7

SHA1
336bd7b1faf7e3cddb45c071ff5f5d6d64f94fb9

SHA256
5c7f27a1cc7422a66ac2e509f12015bff8fe6db6c09bbd293944fd5b736270da

SHA512
ed2c9fbc59c21d07d1894b189569b8539a4a05e94df4a9af1608a4580c90247b011792334a9b08040eefd71d7130ae76019e0ef55a85c56dde12642dcc1564ef

Download Submit
memory/1720-14-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/1720-13-0x000000001BB20000-0x000000001BB2E000-memory.dmp

Filesize
56KB

Download
memory/1720-0-0x00007FFF4D5F3000-0x00007FFF4D5F5000-memory.dmp

Filesize
8KB

Download
memory/1720-6-0x000000001B190000-0x000000001B1A6000-memory.dmp

Filesize
88KB

Download
memory/1720-7-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/1720-9-0x000000001B2D0000-0x000000001B2D8000-memory.dmp

Filesize
32KB

Download
memory/1720-10-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

Filesize
48KB

Download
memory/1720-11-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/1720-12-0x000000001BB10000-0x000000001BB1A000-memory.dmp

Filesize
40KB

Download
memory/1720-229-0x00007FFF4D5F0000-0x00007FFF4E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1720-1-0x00000000004C0000-0x0000000000662000-memory.dmp

Filesize
1.6MB

Download
memory/1720-16-0x000000001BC50000-0x000000001BC5A000-memory.dmp

Filesize
40KB

Download
memory/1720-17-0x000000001BB50000-0x000000001BB5C000-memory.dmp

Filesize
48KB

Download
memory/1720-15-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/1720-8-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1720-4-0x000000001B970000-0x000000001B9C0000-memory.dmp

Filesize
320KB

Download
memory/1720-5-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/1720-3-0x0000000000F20000-0x0000000000F3C000-memory.dmp

Filesize
112KB

Download
memory/1720-2-0x00007FFF4D5F0000-0x00007FFF4E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-164-0x000001D6705C0000-0x000001D6705E2000-memory.dmp

Filesize
136KB

Download