dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7efdf437b268455f4d328ffb164701.exe
Size

1.6MB
MD5

0a7efdf437b268455f4d328ffb164701
SHA1

c8004052c57affe1a1dcd8a4c85d1df28f980fc9
SHA256

4fbccd0e2aec34305c845e4f50ff90aeef7701d2e94e866ba47f9e4b0beb2b92
SHA512

2fe6c1531ac2fe4ef6a128b132dad6bca73db277d884924433e814e2b7b89757ef7fc9b6d127fdf29b4776f8b3c5ea80d5593d3476db3116efcfc0b778d23720
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	112	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/3708-1-0x0000000000740000-0x00000000008E2000-memory.dmp	dcrat
behavioral26/files/0x0007000000024159-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
456	powershell.exe
3424	powershell.exe
2288	powershell.exe
1848	powershell.exe
1184	powershell.exe
4816	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	0a7efdf437b268455f4d328ffb164701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 16 IoCs

pid	Process
1240	lsass.exe
1608	lsass.exe
2712	lsass.exe
1736	lsass.exe
2312	lsass.exe
2664	lsass.exe
2716	lsass.exe
1636	lsass.exe
2964	lsass.exe
5008	lsass.exe
4012	lsass.exe
3596	lsass.exe
2592	lsass.exe
1064	lsass.exe
540	lsass.exe
3528	lsass.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX96B8.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX96B9.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6cb0b6c459d5d3	0a7efdf437b268455f4d328ffb164701.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	0a7efdf437b268455f4d328ffb164701.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4292	schtasks.exe
4588	schtasks.exe
1656	schtasks.exe
2592	schtasks.exe
4700	schtasks.exe
4736	schtasks.exe
3560	schtasks.exe
3308	schtasks.exe
3232	schtasks.exe
436	schtasks.exe
1272	schtasks.exe
3048	schtasks.exe
4872	schtasks.exe
3360	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3708	0a7efdf437b268455f4d328ffb164701.exe
3708	0a7efdf437b268455f4d328ffb164701.exe
3708	0a7efdf437b268455f4d328ffb164701.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
4816	powershell.exe
4816	powershell.exe
456	powershell.exe
456	powershell.exe
2288	powershell.exe
2288	powershell.exe
1848	powershell.exe
1848	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
4816	powershell.exe
456	powershell.exe
1848	powershell.exe
2288	powershell.exe
1240	lsass.exe
1608	lsass.exe
2712	lsass.exe
1736	lsass.exe
1736	lsass.exe
2312	lsass.exe
2312	lsass.exe
2664	lsass.exe
2664	lsass.exe
2716	lsass.exe
1636	lsass.exe
2964	lsass.exe
5008	lsass.exe
4012	lsass.exe
3596	lsass.exe
2592	lsass.exe
1064	lsass.exe
1064	lsass.exe
540	lsass.exe
3528	lsass.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	0a7efdf437b268455f4d328ffb164701.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1240	lsass.exe
Token: SeDebugPrivilege	1608	lsass.exe
Token: SeDebugPrivilege	2712	lsass.exe
Token: SeDebugPrivilege	1736	lsass.exe
Token: SeDebugPrivilege	2312	lsass.exe
Token: SeDebugPrivilege	2664	lsass.exe
Token: SeDebugPrivilege	2716	lsass.exe
Token: SeDebugPrivilege	1636	lsass.exe
Token: SeDebugPrivilege	2964	lsass.exe
Token: SeDebugPrivilege	5008	lsass.exe
Token: SeDebugPrivilege	4012	lsass.exe
Token: SeDebugPrivilege	3596	lsass.exe
Token: SeDebugPrivilege	2592	lsass.exe
Token: SeDebugPrivilege	1064	lsass.exe
Token: SeDebugPrivilege	540	lsass.exe
Token: SeDebugPrivilege	3528	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2288	3708	0a7efdf437b268455f4d328ffb164701.exe	106
PID 3708 wrote to memory of 2288	3708	0a7efdf437b268455f4d328ffb164701.exe	106
PID 3708 wrote to memory of 1848	3708	0a7efdf437b268455f4d328ffb164701.exe	107
PID 3708 wrote to memory of 1848	3708	0a7efdf437b268455f4d328ffb164701.exe	107
PID 3708 wrote to memory of 1184	3708	0a7efdf437b268455f4d328ffb164701.exe	108
PID 3708 wrote to memory of 1184	3708	0a7efdf437b268455f4d328ffb164701.exe	108
PID 3708 wrote to memory of 4816	3708	0a7efdf437b268455f4d328ffb164701.exe	109
PID 3708 wrote to memory of 4816	3708	0a7efdf437b268455f4d328ffb164701.exe	109
PID 3708 wrote to memory of 456	3708	0a7efdf437b268455f4d328ffb164701.exe	110
PID 3708 wrote to memory of 456	3708	0a7efdf437b268455f4d328ffb164701.exe	110
PID 3708 wrote to memory of 3424	3708	0a7efdf437b268455f4d328ffb164701.exe	111
PID 3708 wrote to memory of 3424	3708	0a7efdf437b268455f4d328ffb164701.exe	111
PID 3708 wrote to memory of 2964	3708	0a7efdf437b268455f4d328ffb164701.exe	118
PID 3708 wrote to memory of 2964	3708	0a7efdf437b268455f4d328ffb164701.exe	118
PID 2964 wrote to memory of 2888	2964	cmd.exe	120
PID 2964 wrote to memory of 2888	2964	cmd.exe	120
PID 2964 wrote to memory of 1240	2964	cmd.exe	123
PID 2964 wrote to memory of 1240	2964	cmd.exe	123
PID 1240 wrote to memory of 3352	1240	lsass.exe	124
PID 1240 wrote to memory of 3352	1240	lsass.exe	124
PID 1240 wrote to memory of 2368	1240	lsass.exe	125
PID 1240 wrote to memory of 2368	1240	lsass.exe	125
PID 3352 wrote to memory of 1608	3352	WScript.exe	127
PID 3352 wrote to memory of 1608	3352	WScript.exe	127
PID 1608 wrote to memory of 1500	1608	lsass.exe	128
PID 1608 wrote to memory of 1500	1608	lsass.exe	128
PID 1608 wrote to memory of 2624	1608	lsass.exe	129
PID 1608 wrote to memory of 2624	1608	lsass.exe	129
PID 1500 wrote to memory of 2712	1500	WScript.exe	131
PID 1500 wrote to memory of 2712	1500	WScript.exe	131
PID 2712 wrote to memory of 1380	2712	lsass.exe	132
PID 2712 wrote to memory of 1380	2712	lsass.exe	132
PID 2712 wrote to memory of 2328	2712	lsass.exe	133
PID 2712 wrote to memory of 2328	2712	lsass.exe	133
PID 1380 wrote to memory of 1736	1380	WScript.exe	138
PID 1380 wrote to memory of 1736	1380	WScript.exe	138
PID 1736 wrote to memory of 4700	1736	lsass.exe	139
PID 1736 wrote to memory of 4700	1736	lsass.exe	139
PID 1736 wrote to memory of 1900	1736	lsass.exe	140
PID 1736 wrote to memory of 1900	1736	lsass.exe	140
PID 4700 wrote to memory of 2312	4700	WScript.exe	145
PID 4700 wrote to memory of 2312	4700	WScript.exe	145
PID 2312 wrote to memory of 2344	2312	lsass.exe	146
PID 2312 wrote to memory of 2344	2312	lsass.exe	146
PID 2312 wrote to memory of 4100	2312	lsass.exe	147
PID 2312 wrote to memory of 4100	2312	lsass.exe	147
PID 2344 wrote to memory of 2664	2344	WScript.exe	148
PID 2344 wrote to memory of 2664	2344	WScript.exe	148
PID 2664 wrote to memory of 4772	2664	lsass.exe	149
PID 2664 wrote to memory of 4772	2664	lsass.exe	149
PID 2664 wrote to memory of 5024	2664	lsass.exe	150
PID 2664 wrote to memory of 5024	2664	lsass.exe	150
PID 4772 wrote to memory of 2716	4772	WScript.exe	151
PID 4772 wrote to memory of 2716	4772	WScript.exe	151
PID 2716 wrote to memory of 1832	2716	lsass.exe	152
PID 2716 wrote to memory of 1832	2716	lsass.exe	152
PID 2716 wrote to memory of 4288	2716	lsass.exe	153
PID 2716 wrote to memory of 4288	2716	lsass.exe	153
PID 1832 wrote to memory of 1636	1832	WScript.exe	154
PID 1832 wrote to memory of 1636	1832	WScript.exe	154
PID 1636 wrote to memory of 2960	1636	lsass.exe	155
PID 1636 wrote to memory of 2960	1636	lsass.exe	155
PID 1636 wrote to memory of 4164	1636	lsass.exe	156
PID 1636 wrote to memory of 4164	1636	lsass.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe
"C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vcxxe3RfzI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2888
- - C:\d9c22b4eaa3c0b9c12c7\lsass.exe
    "C:\d9c22b4eaa3c0b9c12c7\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9c54f5f-c828-4a9a-ba6e-a9d0d77ec573.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\995baf83-7ef1-4eb6-a830-532246e9722c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fabc2466-238c-4d5c-84b8-e89393b094fc.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be6a482-2306-4825-b37c-b60f170d9699.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2488d2ae-8f99-4d46-958a-3d620a863743.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f543d4aa-17d9-44d5-89d2-3b15403aae99.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a66ca7d-1929-44a2-8d27-7fe238654bee.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\116a0186-bc12-4539-9915-ae08788846a3.vbs"
        18⤵
        
        PID:2960
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8784aaaf-b357-44e0-a217-d43b753b08b3.vbs"
        20⤵
        
        PID:736
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f2ffae0-d323-418f-9aa9-317adde3fdbc.vbs"
        22⤵
        
        PID:4692
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a85fabc9-e3aa-411e-9e9b-b3a2ef8753eb.vbs"
        24⤵
        
        PID:692
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0b80c9-79be-4293-946b-5badc31f4a24.vbs"
        26⤵
        
        PID:2080
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367a84d4-ad84-453a-b5b4-5696778c3740.vbs"
        28⤵
        
        PID:2540
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b14a488d-6a4a-4d3e-955f-4109b69d8bbc.vbs"
        30⤵
        
        PID:2280
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31588a46-7af3-487a-a433-bcba75a46771.vbs"
        32⤵
        
        PID:1396
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        
        C:\d9c22b4eaa3c0b9c12c7\lsass.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429fd5ed-31c5-44f5-b2c1-9cddf015e2ce.vbs"
        34⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3e0a3c7-5d56-441d-b213-a9099c777cdb.vbs"
        34⤵
        
        PID:4764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dff8398f-2f37-458c-b564-bd243ade7a84.vbs"
        32⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e609fca4-8850-47a5-9917-d423955fd545.vbs"
        30⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c64de6-add6-46d5-a81b-4bfc12e6d90b.vbs"
        28⤵
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4165bd43-c79b-4beb-bc1d-c94615ee5a80.vbs"
        26⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fdf9fcf-24e3-4324-be19-217f5ab7d09c.vbs"
        24⤵
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0817ce8c-d585-452e-b339-3f4f6fcbfde2.vbs"
        22⤵
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89dbbef-7e2d-46f9-b1e0-e0e0e40a94fb.vbs"
        20⤵
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a9cb8d-a14d-4cca-98e4-66f0d04ec013.vbs"
        18⤵
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43cfcefd-0e70-40a9-afbc-2d5fbb691bda.vbs"
        16⤵
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16abbd9e-85e3-4715-9f00-6a89dad0568a.vbs"
        14⤵
        
        PID:5024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4965b29c-7985-49be-8ac0-fba4193bd670.vbs"
        12⤵
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c744fe8-a678-43b0-9dc4-3474c5a3af91.vbs"
        10⤵
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19f74c5d-31d2-43f7-a7c6-c1d907706f4e.vbs"
        8⤵
        
        PID:2328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a04bcc91-41f0-40f4-bed9-c3294e6744c8.vbs"
        6⤵
        
        PID:2624
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\972b024f-db4c-42bc-a03d-ac428469057d.vbs"
      4⤵
      PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b594c0a5591fab95a43185dd9944a231

SHA1
3d725e779790f3525ba12b0666f0a3a235644fed

SHA256
8478ca44e6145dbe6664f871852535793f5ab6d86b4c78c611165bdfb91f159a

SHA512
452fc6194d00c466a3ceb98d2cce2e4262f6b0998b99c6b2ccd842d07449b177d1ce9ff4e7659e0b358eedf44bdc20cc30e3fdb2e4b61e56d94e3965f48cdb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\116a0186-bc12-4539-9915-ae08788846a3.vbs

Filesize
709B

MD5
a509f9d93554f25d869762da888747d7

SHA1
248ecbe33b342bbf435795eb1cb3266dde1006b2

SHA256
45f09e7d750e40baafd56fbe2d7f66f7f442cfc7154eb01485af5f4670c6eb5b

SHA512
7ff5132ad006f82843d713b04878c6b37b94669d870ed9388b0af7454c949e775c426a1a54f207e52522fa83928072b098f69551d3b78273d17e8207b6869cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a66ca7d-1929-44a2-8d27-7fe238654bee.vbs

Filesize
709B

MD5
07a5446cb44575075a74e5fc332b511a

SHA1
5f59585452c35c0967f9c0e7ee0611bb62c42290

SHA256
e3189b3cc59c334a5a64d7be8d3f991f7382fcff11e22aca8c4d4233b83e1d6c

SHA512
4ff74b163f3c13e358443538391b5cdb71b80ccff2b48d08c746e8523ead15e6cd1b11e88bbc94e05860bda369e874333d66042685c1baf878f4502ad5551fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f2ffae0-d323-418f-9aa9-317adde3fdbc.vbs

Filesize
709B

MD5
7575b84dba7bf2fad1a7af62e7c86b21

SHA1
9e66552477917f94763fd7b212d7c7233d81616a

SHA256
19aab0e7623259131376abb2124c8aa2b3d6acc8ca368870b3812b57955f0e0e

SHA512
a1edde80e7394f3225c1d9847f9fd4c34b56c7fbe12f234db175ed87294c24edf0881e69f4022738f7b31ddefb4a7ad647cc6211314f5a35647f8f1ac5697f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2488d2ae-8f99-4d46-958a-3d620a863743.vbs

Filesize
709B

MD5
2ea82541b5fc98c02a9372be4be49d3d

SHA1
8c9f0008f0fc8e6feae17fd255a8decfd7610869

SHA256
c1ca0c5036f4611eb0b09a6299d9876629f37c90a56e67c4cd1b6fe0cd63f02c

SHA512
5c095a144431665c4385ecc6bb229198ca81db7e097bc569a358b8f34731c311a9b520c2e78fc467c1474ddfcc240251797d8e140c0f7747658df2c69e760eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2be6a482-2306-4825-b37c-b60f170d9699.vbs

Filesize
709B

MD5
29f75198c71a3238d8c3bb68e8e1fd16

SHA1
c33937dbebce25d3b7b8204a584ac836fb4002bb

SHA256
125af95c2eb52248211d4e4c371da8590e4809f1611ec5062b9d340bd75a9d8f

SHA512
cb880342189eb7aebf165b7bf96922905784016ffd92763fb1c6cac364fb356b1772d72115b354ae69d7114c6b0c9dfdd2db9bd88be614c4fab08ce7b8263752

Download Submit
C:\Users\Admin\AppData\Local\Temp\367a84d4-ad84-453a-b5b4-5696778c3740.vbs

Filesize
709B

MD5
8ae823a824e021132c6852fa869cbe00

SHA1
5dae63ed8c8e71cf7371850156f8920c2a159aab

SHA256
5ef994d6ca9f7f7739ca934bc6a3be4a70bba08a7e4763f1f254c7ae550eaa1a

SHA512
2fd0c5f39347db99bd54d3b8137389e16c7dc2a0f4795652f7c29ed3992faa5f3323d77a029d24938af4cb0f3b636a77e967ba818cac84c56cd167897f421cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b0b80c9-79be-4293-946b-5badc31f4a24.vbs

Filesize
709B

MD5
3b58e1f3156f41b09a54f365d50c95b1

SHA1
7362c77c494f6b54dbdf9ac9fa277c0232fff8c5

SHA256
6a7d7968844c66ceadd9b7df653b70ff37a96f1d768ea139dafa18e5bd066d31

SHA512
287badca2d8ae378adbf5702c77137ab30559f39518333713ef61332e2b8f764aaed121b368d63f9586157c3a222d42f25358e575578fbf4b035be979de06ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\972b024f-db4c-42bc-a03d-ac428469057d.vbs

Filesize
485B

MD5
6917446be83e25432d20313760bdaffd

SHA1
13e22fede35f720328af9ac10466272a7289a547

SHA256
b23a29b05966c8d1b62b1172c7c6894b9c060ac8d6b648802a3370a84a6e1a7c

SHA512
bd3d3ddea4384656d3d04f5c6c1f8bfbe4cf3f559cafd61186e2db6af84835ad001221e10208d30885e309ade9082e74f5763a158baf4c11d60d8cce8ba7cb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\995baf83-7ef1-4eb6-a830-532246e9722c.vbs

Filesize
709B

MD5
9dd44f943649e91fa2031098cfd4733c

SHA1
6ffe23fbc1f10e248b7204c2c523cb6a14dbab50

SHA256
b835b5f96cbf372c5e11f89e73814fcd55c449a52711ac214cb40bae2ef3409f

SHA512
54c194c17d1193dbb73dba12d83b4ce17882097ec7e7896d32541151db8de6084f4cc6d25263f4732618509d3bf2954d9ee61637a744ed0391735b10c9bc7c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcxxe3RfzI.bat

Filesize
198B

MD5
b0b651462d6867ce0187d1b2aaba215e

SHA1
c5c6cc46622113d87f7277948cf81a4e31c78eb8

SHA256
c2e3d54fcd8c26ae8218abdde394c5476f8797c423efb7e8aa2db6e27433b8b7

SHA512
23ee3dddacba3ac273a9664dd0f5da2a592bfe65c01f45ecb01aea4ea75b5b3152ce6878589029c450dda49fa710d35d8e9bfc9dd19d826df665274609bdd506

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tskdg4xm.uvx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a85fabc9-e3aa-411e-9e9b-b3a2ef8753eb.vbs

Filesize
709B

MD5
bbe2269fa06bad449d541ac0fbea0cca

SHA1
719e151118acc61e04ade1b7b9f5bbd631506873

SHA256
48dd1327051221e2313ecb43699f9bb0a9ef08132731049cfddc295736e24096

SHA512
1827a786625847b478d69e50b6c794ce4da193b8db5d80321fc9f7b915e6d8c8d5bb94d4a00373e0fe5350c3339a9e8321005c8b9aa154747f4ee4c9d9571996

Download Submit
C:\Users\Admin\AppData\Local\Temp\b14a488d-6a4a-4d3e-955f-4109b69d8bbc.vbs

Filesize
709B

MD5
3231faf564e8f17414a5c6f1eb7e7149

SHA1
89b91e7e42e5ecd8769d027c1d6aeb2cb7f6ccb9

SHA256
ab48a1b310fa8d17e0664fb0ae47816f7b9e0803ea3b7f40f9c1ab20e6ef17fe

SHA512
7945fb949697ceb00ec93b7c548b7633e478a5da1fffe21ced8b70854d96a27c24bbc7ddeaed1d95459929b626a178f6e7af74932b458ed66befb936e6895800

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9c54f5f-c828-4a9a-ba6e-a9d0d77ec573.vbs

Filesize
709B

MD5
c0eb2792f2bddf564abcb47efd2a4eb0

SHA1
de37cb90889ebc7d9b22cd70e5b077ff3240a685

SHA256
36a195be7fa7d80ae31a6f888a10fd28d7d4599c3c411b1edd4b40f85a623026

SHA512
90c8b7169fb00011a0142973cfef4de9e99ad1d827cd6408cdc2466377104167d562c86995da9cdff9e393f721f27aba087a9fc18e049e721d6ee85c4aca86cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f543d4aa-17d9-44d5-89d2-3b15403aae99.vbs

Filesize
709B

MD5
5cd04da5547c7e9603988df3db2d51de

SHA1
962ac433560af8181dea102b69dcc226874a36bc

SHA256
69b59b208455abd72e98446865792f5b6e287858c5b2e8ea82fb96209dcbe41c

SHA512
c9523ef7186482070829444b43355f7e065626c5c06f7a4d57aa7a60ab4dd02ee6bb72dda7a6890ebdb2a9485f20808f79fd53539694c826d8d33dbec975579f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabc2466-238c-4d5c-84b8-e89393b094fc.vbs

Filesize
709B

MD5
e1d1bda43f3aef0ad983c85a7384524e

SHA1
2fe2259ae01d1c1925c8d98bded06cc70d577a3f

SHA256
c9b7c77f3ca64c84216883ebac10d41cf0937834dbf49ceb3fca9288bca8b22a

SHA512
f67c0d89037ce1c30db03abf9dc261f3302b619a621e92fe820968aa45411843d6b528de89e8adc92ea90b8e0d98c3d03f40bd30addc93d97ab63ca01509e0b8

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe

Filesize
1.6MB

MD5
0a7efdf437b268455f4d328ffb164701

SHA1
c8004052c57affe1a1dcd8a4c85d1df28f980fc9

SHA256
4fbccd0e2aec34305c845e4f50ff90aeef7701d2e94e866ba47f9e4b0beb2b92

SHA512
2fe6c1531ac2fe4ef6a128b132dad6bca73db277d884924433e814e2b7b89757ef7fc9b6d127fdf29b4776f8b3c5ea80d5593d3476db3116efcfc0b778d23720

Download Submit
memory/1184-107-0x000001EDB2900000-0x000001EDB2922000-memory.dmp

Filesize
136KB

Download
memory/3708-109-0x00007FFB25B60000-0x00007FFB26621000-memory.dmp

Filesize
10.8MB

Download
memory/3708-0-0x00007FFB25B63000-0x00007FFB25B65000-memory.dmp

Filesize
8KB

Download
memory/3708-4-0x0000000002CB0000-0x0000000002D00000-memory.dmp

Filesize
320KB

Download
memory/3708-5-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/3708-9-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/3708-10-0x0000000002C80000-0x0000000002C8C000-memory.dmp

Filesize
48KB

Download
memory/3708-11-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/3708-12-0x0000000002CA0000-0x0000000002CAA000-memory.dmp

Filesize
40KB

Download
memory/3708-13-0x0000000002D00000-0x0000000002D0E000-memory.dmp

Filesize
56KB

Download
memory/3708-14-0x0000000002D10000-0x0000000002D18000-memory.dmp

Filesize
32KB

Download
memory/3708-17-0x000000001B580000-0x000000001B58C000-memory.dmp

Filesize
48KB

Download
memory/3708-15-0x0000000002D20000-0x0000000002D28000-memory.dmp

Filesize
32KB

Download
memory/3708-16-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/3708-6-0x0000000002B10000-0x0000000002B26000-memory.dmp

Filesize
88KB

Download
memory/3708-8-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/3708-7-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3708-3-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

Filesize
112KB

Download
memory/3708-2-0x00007FFB25B60000-0x00007FFB26621000-memory.dmp

Filesize
10.8MB

Download
memory/3708-1-0x0000000000740000-0x00000000008E2000-memory.dmp

Filesize
1.6MB

Download