dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4202cc1a54d458c6b3a7579733cc35c1.exe
Size

1.6MB
MD5

4202cc1a54d458c6b3a7579733cc35c1
SHA1

db3f6aee406b73fb0a831cf988b98282d7516918
SHA256

545876aff174a4c02160e0c1b7e3d513f9010daa140b1e287883e2387aca8a96
SHA512

b2423ec0ed40f7de79b0e8248858354e1d5fee95b66f72612048aace23e1e0d39945cd769ff7866adbc41cbb7f90983f438f8667ddff6fbc8445eb76ba2fac92
SSDEEP

24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	2168	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2168	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2168	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2168	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2168	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2168	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/6020-1-0x00000000000D0000-0x0000000000272000-memory.dmp	dcrat
behavioral26/files/0x00070000000242b0-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
816	powershell.exe
5300	powershell.exe
2456	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	4202cc1a54d458c6b3a7579733cc35c1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 16 IoCs

pid	Process
5148	sihost.exe
4804	sihost.exe
3872	sihost.exe
2296	sihost.exe
2788	sihost.exe
3036	sihost.exe
3084	sihost.exe
1912	sihost.exe
4852	sihost.exe
5900	sihost.exe
4480	sihost.exe
6004	sihost.exe
1656	sihost.exe
1140	sihost.exe
3328	sihost.exe
2524	sihost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX89C5.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX89C6.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\66fc9ff0ee96c2	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX87C0.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX87C1.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	4202cc1a54d458c6b3a7579733cc35c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	4202cc1a54d458c6b3a7579733cc35c1.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5900	schtasks.exe
1540	schtasks.exe
1888	schtasks.exe
4032	schtasks.exe
2296	schtasks.exe
4696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
6020	4202cc1a54d458c6b3a7579733cc35c1.exe
5300	powershell.exe
5300	powershell.exe
816	powershell.exe
816	powershell.exe
5300	powershell.exe
2456	powershell.exe
2456	powershell.exe
816	powershell.exe
2456	powershell.exe
5148	sihost.exe
4804	sihost.exe
3872	sihost.exe
2296	sihost.exe
2296	sihost.exe
2788	sihost.exe
2788	sihost.exe
3036	sihost.exe
3036	sihost.exe
3084	sihost.exe
3084	sihost.exe
1912	sihost.exe
4852	sihost.exe
5900	sihost.exe
5900	sihost.exe
4480	sihost.exe
6004	sihost.exe
1656	sihost.exe
1140	sihost.exe
3328	sihost.exe
3328	sihost.exe
2524	sihost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	6020	4202cc1a54d458c6b3a7579733cc35c1.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	5148	sihost.exe
Token: SeDebugPrivilege	4804	sihost.exe
Token: SeDebugPrivilege	3872	sihost.exe
Token: SeDebugPrivilege	2296	sihost.exe
Token: SeDebugPrivilege	2788	sihost.exe
Token: SeDebugPrivilege	3036	sihost.exe
Token: SeDebugPrivilege	3084	sihost.exe
Token: SeDebugPrivilege	1912	sihost.exe
Token: SeDebugPrivilege	4852	sihost.exe
Token: SeDebugPrivilege	5900	sihost.exe
Token: SeDebugPrivilege	4480	sihost.exe
Token: SeDebugPrivilege	6004	sihost.exe
Token: SeDebugPrivilege	1656	sihost.exe
Token: SeDebugPrivilege	1140	sihost.exe
Token: SeDebugPrivilege	3328	sihost.exe
Token: SeDebugPrivilege	2524	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6020 wrote to memory of 816	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	93
PID 6020 wrote to memory of 816	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	93
PID 6020 wrote to memory of 2456	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	94
PID 6020 wrote to memory of 2456	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	94
PID 6020 wrote to memory of 5300	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	95
PID 6020 wrote to memory of 5300	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	95
PID 6020 wrote to memory of 408	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	99
PID 6020 wrote to memory of 408	6020	4202cc1a54d458c6b3a7579733cc35c1.exe	99
PID 408 wrote to memory of 2120	408	cmd.exe	101
PID 408 wrote to memory of 2120	408	cmd.exe	101
PID 408 wrote to memory of 5148	408	cmd.exe	106
PID 408 wrote to memory of 5148	408	cmd.exe	106
PID 5148 wrote to memory of 2372	5148	sihost.exe	107
PID 5148 wrote to memory of 2372	5148	sihost.exe	107
PID 5148 wrote to memory of 5032	5148	sihost.exe	108
PID 5148 wrote to memory of 5032	5148	sihost.exe	108
PID 2372 wrote to memory of 4804	2372	WScript.exe	111
PID 2372 wrote to memory of 4804	2372	WScript.exe	111
PID 4804 wrote to memory of 2524	4804	sihost.exe	112
PID 4804 wrote to memory of 2524	4804	sihost.exe	112
PID 4804 wrote to memory of 3248	4804	sihost.exe	113
PID 4804 wrote to memory of 3248	4804	sihost.exe	113
PID 2524 wrote to memory of 3872	2524	WScript.exe	114
PID 2524 wrote to memory of 3872	2524	WScript.exe	114
PID 3872 wrote to memory of 5480	3872	sihost.exe	116
PID 3872 wrote to memory of 5480	3872	sihost.exe	116
PID 3872 wrote to memory of 844	3872	sihost.exe	117
PID 3872 wrote to memory of 844	3872	sihost.exe	117
PID 5480 wrote to memory of 2296	5480	WScript.exe	119
PID 5480 wrote to memory of 2296	5480	WScript.exe	119
PID 2296 wrote to memory of 2412	2296	sihost.exe	123
PID 2296 wrote to memory of 2412	2296	sihost.exe	123
PID 2296 wrote to memory of 4932	2296	sihost.exe	124
PID 2296 wrote to memory of 4932	2296	sihost.exe	124
PID 2412 wrote to memory of 2788	2412	WScript.exe	125
PID 2412 wrote to memory of 2788	2412	WScript.exe	125
PID 2788 wrote to memory of 5544	2788	sihost.exe	126
PID 2788 wrote to memory of 5544	2788	sihost.exe	126
PID 2788 wrote to memory of 4864	2788	sihost.exe	127
PID 2788 wrote to memory of 4864	2788	sihost.exe	127
PID 5544 wrote to memory of 3036	5544	WScript.exe	128
PID 5544 wrote to memory of 3036	5544	WScript.exe	128
PID 3036 wrote to memory of 5800	3036	sihost.exe	129
PID 3036 wrote to memory of 5800	3036	sihost.exe	129
PID 3036 wrote to memory of 3368	3036	sihost.exe	130
PID 3036 wrote to memory of 3368	3036	sihost.exe	130
PID 5800 wrote to memory of 3084	5800	WScript.exe	131
PID 5800 wrote to memory of 3084	5800	WScript.exe	131
PID 3084 wrote to memory of 2500	3084	sihost.exe	132
PID 3084 wrote to memory of 2500	3084	sihost.exe	132
PID 3084 wrote to memory of 4244	3084	sihost.exe	133
PID 3084 wrote to memory of 4244	3084	sihost.exe	133
PID 2500 wrote to memory of 1912	2500	WScript.exe	134
PID 2500 wrote to memory of 1912	2500	WScript.exe	134
PID 1912 wrote to memory of 5064	1912	sihost.exe	135
PID 1912 wrote to memory of 5064	1912	sihost.exe	135
PID 1912 wrote to memory of 5228	1912	sihost.exe	136
PID 1912 wrote to memory of 5228	1912	sihost.exe	136
PID 5064 wrote to memory of 4852	5064	WScript.exe	138
PID 5064 wrote to memory of 4852	5064	WScript.exe	138
PID 4852 wrote to memory of 5460	4852	sihost.exe	139
PID 4852 wrote to memory of 5460	4852	sihost.exe	139
PID 4852 wrote to memory of 3408	4852	sihost.exe	140
PID 4852 wrote to memory of 3408	4852	sihost.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe
"C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2120
- - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5148
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35e820d-be5d-44a7-8e66-b9edab7bf153.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d79996e-5dbb-480c-90e0-f435ceab555f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd81e6f-216f-4790-97f3-f58d34c3fc78.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5480
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef6652e-3bea-4ee1-9793-dd495dd7bc55.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e2ee814-4632-42ab-a418-a13ab5524a2d.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5544
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\131c1458-8193-4d09-b112-b3f9556aa562.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5834e958-ad4d-4bda-b98b-adcc203fc174.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12863916-cf13-4001-8133-8a3d8d4e9fd5.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a97184-3916-4c0e-a236-82fdfb1a6050.vbs"
        20⤵
        
        PID:5460
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90bd64d7-3103-4de4-a238-f672faff6d35.vbs"
        22⤵
        
        PID:1952
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5d45eb-12a5-4bd7-a8e3-d1cf2df219ce.vbs"
        24⤵
        
        PID:2336
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2813fadb-4d11-40e8-a7aa-22bc1825e0ee.vbs"
        26⤵
        
        PID:2780
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbd68a4-a043-4044-9a37-1859eb63159b.vbs"
        28⤵
        
        PID:5436
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f42b52e6-04dc-439e-b11a-4b783b107ead.vbs"
        30⤵
        
        PID:1720
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e123fb10-4849-4117-b6b5-09c9451bca65.vbs"
        32⤵
        
        PID:4796
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5effce9-47c9-4011-b703-931d4650867d.vbs"
        34⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41fdab7-f92f-42f5-9eb6-0861c4f134b0.vbs"
        34⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6833a45b-1790-49dc-8077-7b51e2583a6a.vbs"
        32⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12f730b-da53-4981-9e38-38ece6584c73.vbs"
        30⤵
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c0143d-865e-4794-a596-a2d811c21888.vbs"
        28⤵
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1e259c-eb7e-4c81-9c75-0c07d55b60ef.vbs"
        26⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ad21a61-f095-4865-8113-79903350e7d4.vbs"
        24⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f81946d-1b6e-4c4d-868c-b5c719adfd4b.vbs"
        22⤵
        
        PID:3604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c23a157c-cc6c-45d5-94e4-80ffa55cf29b.vbs"
        20⤵
        
        PID:3408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500f75af-bc5c-4be6-9d09-7303c7d42bfa.vbs"
        18⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1468189f-14f6-47d3-89b2-26ca7e641820.vbs"
        16⤵
        
        PID:4244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2165ceb7-bc21-4fc0-bc52-733d48d3f1c6.vbs"
        14⤵
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\525e2bb2-9fa1-4b53-bf19-1c725d217f13.vbs"
        12⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a906041-68ed-4e72-b244-0be4929950a4.vbs"
        10⤵
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d45f0876-8513-42ec-ab5a-7a4ba3c12c77.vbs"
        8⤵
        
        PID:844
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a276f9-c5bb-4daf-ad3c-08410f7cd43b.vbs"
        6⤵
        
        PID:3248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3102da34-8f23-463b-989b-51d0f07b269c.vbs"
      4⤵
      PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe

Filesize
1.6MB

MD5
4202cc1a54d458c6b3a7579733cc35c1

SHA1
db3f6aee406b73fb0a831cf988b98282d7516918

SHA256
545876aff174a4c02160e0c1b7e3d513f9010daa140b1e287883e2387aca8a96

SHA512
b2423ec0ed40f7de79b0e8248858354e1d5fee95b66f72612048aace23e1e0d39945cd769ff7866adbc41cbb7f90983f438f8667ddff6fbc8445eb76ba2fac92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\12863916-cf13-4001-8133-8a3d8d4e9fd5.vbs

Filesize
740B

MD5
4b416a98abaf6c50702d1f20de62d4b9

SHA1
9ed8d72963755c69153ed2e5441f3605eb169783

SHA256
a910e6aea1838f60cb0ec6e462520d2407c4a03cb5ff4737690d35fabb0e95f3

SHA512
b516b79cd3384bd9a2657486b0913dfde177294faec3a41b5c4521b84ec663130a16743fa10b79204232e3d7f445ab90745a109ebb7e3efade3653779390f0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\131c1458-8193-4d09-b112-b3f9556aa562.vbs

Filesize
740B

MD5
093bd3be9d89771075a552e811a3feb7

SHA1
2439cd6ba357d2784ffbbea27da1952661ca358b

SHA256
9cba475d8a2bbf4723781a984df35acbbd1b11829b2c8f1d2ab6add01de8e80b

SHA512
0515f4181d2c1020cabca199dad2d2cd3a4f2dab451f4a7776985c1ef50cf196d4f0191dd167d840f9410928e6d8f40d6e768553d513a2220b60c60bbaf1f2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d79996e-5dbb-480c-90e0-f435ceab555f.vbs

Filesize
740B

MD5
0f4e04068c7a021e47b268792ecbf34e

SHA1
0a01beaed5e9df9338516afbf9082db107c44a3c

SHA256
ec4d76817da8896afd0aae1c205363d7e84a234301247851a25e45aef0226c0d

SHA512
72e4a467e4756d53d5cda4e877be82398d46229458fa3731a88df4bd6aea77000f2a899ed9c71f62a183351614c2a9158330cb7b52e8f3cb624fac0966bde2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e2ee814-4632-42ab-a418-a13ab5524a2d.vbs

Filesize
740B

MD5
ad99829c0ef8ce3e2126801da1efea2d

SHA1
7dc4f78f85449be88f97094c7b22b840e7227fe0

SHA256
6de88191bd413a27d653713c0db9b581a632cc0537fb24a799e90147809723b6

SHA512
cb6e6d84222700457d38801a5b806500f0884dd30f0601d35c2c67fc26f1615794857e9da7f93182858e7522de0fd4967c159ec8599b0951eddc30d8518dcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ef6652e-3bea-4ee1-9793-dd495dd7bc55.vbs

Filesize
740B

MD5
5883cb1c1b1625069dd6cd8935c43c3b

SHA1
4afde0df4c690bf24b6e98df63fa1b4f733f8655

SHA256
564b357cfdeeb0ef0276c8a41c0b0d4a39382c6c53b6e9f744c5a5619d8d45c9

SHA512
a908d5fdeba155679da9b0d9bbc7ec614b5fac971707982c5d22cb9213366adbe47246a594b0d9bae216ad625e27497d0bee2c65e3b95f470f44c04e72b33d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3102da34-8f23-463b-989b-51d0f07b269c.vbs

Filesize
516B

MD5
7a41083bef4a9ba434391989fe0846f5

SHA1
9c01bddeff590b7a8ab1b97d59fab534c55d2c5d

SHA256
9f914b8001f5a05edb4121b22133887c084d793bee8079cb2e330b0ebc7e49e9

SHA512
35b3b95d5ce2043821208e5c2818368c5474b64ed34619185f864e928647b2e7388b092e2588fbd150f2915a1ac60acb7ed0d609c6c470c09a8df730051a6223

Download Submit
C:\Users\Admin\AppData\Local\Temp\5834e958-ad4d-4bda-b98b-adcc203fc174.vbs

Filesize
740B

MD5
1a7bf09d5677485a043a6d3f27e95d6b

SHA1
30e11a8a13de8da489a0b3cb82bf2dc7d0c9740c

SHA256
600066076f6079f332c3d1e037d4327d08029b288826339bdffdf7a683dd041c

SHA512
c2fd39096df3d8086e07289cd0f182d6e279fbef07175b65a0f9d2fcc7b704a03d116d0840972b1b5a220ead871294e45047f3c162d8de19bd036bfd32d91611

Download Submit
C:\Users\Admin\AppData\Local\Temp\90bd64d7-3103-4de4-a238-f672faff6d35.vbs

Filesize
740B

MD5
fa87b393e537365563074cc65d0f2294

SHA1
0ac3dda30a7ea4496a84820438e26d2672ff4bf2

SHA256
b3e13dda1b6dc7b7b8394b54b6671989401affd14b52a50eb3a861f97fec22fe

SHA512
5f5d9053da891447570d9066578160ae2a5c29f9c039913c902445028062263e2ba3e1978d9f7d956bbc5d82f24d8f6f120bf354a7d6e617581a1e184b63b0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\97a97184-3916-4c0e-a236-82fdfb1a6050.vbs

Filesize
740B

MD5
436deab12144d5371877b5e3c79223b9

SHA1
7b5a7555f31621c6a076704a2274cfba2bfeca32

SHA256
85f3fdacf259bb05c806703d201ba27139cc75503039fffd30514429aa61427a

SHA512
f4c7150b956d634237c198a7b14a3f4378cdc7dcf56ccab9e9962bd2cad36ee92700a4f702e52eb76af4697a118ad7318e79f7935a215f7a6055fa5a1571bcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayldsx5l.ca2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcbd68a4-a043-4044-9a37-1859eb63159b.vbs

Filesize
740B

MD5
df42afdef78ac82053184f946f84ddfc

SHA1
7d852ea205c6e01f55813b69adc6dfe6a60d4bbe

SHA256
ca4c12445307fea6c83caa4fc614c8bac20be8d70f21d50c4aa04c6ebad4d1b3

SHA512
6461834e39d966a783d533f5116a1454ea9a0c6945827430ba3a6f19fc0e31317cb68930a120aef237381a8a82ea86cf532f228ed59242f956b474fa0dce9f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdd81e6f-216f-4790-97f3-f58d34c3fc78.vbs

Filesize
740B

MD5
3701595cd38c2fcd07f3077904a0e603

SHA1
0c6142636f4b7ad261e7ab2be3f868871f8a30b1

SHA256
3eb4694ba0329374bb4050311f6b5dccf9fb74d37125674ed729616f31c88e2f

SHA512
ebc127096990d32adc3a89c55caca5ffd0ac0329cf6fc9a085f4b1c2f70ce1f2074af8502aa229ae452b287ba0cac6425f26bdee054566dd72ceb048a3aef22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat

Filesize
229B

MD5
7967885c2fb5742358aa0e46bd1ef78d

SHA1
bf48924748d30c9aab13776de5acc7eae5f9288d

SHA256
486ee36292d0952ea5da93c1c2da36c7e9e611927c265be2fbca75b8895e2c45

SHA512
230570217763575991a8a92d40f76e52c0a6a76f00a051a83768579b8d0e0af42ae3ed72a041ddbf7c0b9ca5a01a84e4b78c275ff2a04825b555471c3a88f03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd5d45eb-12a5-4bd7-a8e3-d1cf2df219ce.vbs

Filesize
740B

MD5
9e64a6f61653ed06ea755d6a0503af1a

SHA1
282c87bd01a68b69a346ff8cdd17527e55d7a162

SHA256
3b5c7dedd1f867ce50cf0eb0e8db594492999d7f11dd4cff1aa43b437290ffe1

SHA512
0d62c165418952bd3b5d9a2825e8271a3858d599a896d8ff9d0c715002b9c35cebc2b76b3206960fe52aa26f29d5beaae7e51ac2f8fec7ae2302414da82b1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\e123fb10-4849-4117-b6b5-09c9451bca65.vbs

Filesize
740B

MD5
8b2fb93197ef9896311575242855a1ab

SHA1
1a7bd8287e0388848119cc1121e9ce7870d8da9b

SHA256
c2371b743bf519484b5a66a97e701ae1b386295ab16f1f15b19b3ea9dbb0b09c

SHA512
cf96c7648644f265c343761ba2d379da5fa2ff1109672e8d50d201e41b885fa43e9fe7a5c0bb4848c3fda2fa0caea3a80ce946315323b55d94c86b91457a7ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e35e820d-be5d-44a7-8e66-b9edab7bf153.vbs

Filesize
740B

MD5
972b7fb127a8cf84e3330b3e9a4fe016

SHA1
a5dc7e7c96109231d34c8829bd9f482b2a98ff54

SHA256
42f9497f4f1387635ee0f1e530b1ba398ee0c4d46640282fdca96c43b8150ef8

SHA512
e57245cbb603b666ecf4a56b5e52d63682916b4bb90a769c98f91c7874b7ba2dc4ef2ea2e8c36951d9996595f4173de443ef523601533c6f010fe7be5baee8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f42b52e6-04dc-439e-b11a-4b783b107ead.vbs

Filesize
740B

MD5
7accb27b5173b33ad2b28950daa889b7

SHA1
3250fea51ef04d73857ff1e3f5e6f3b7734a4d32

SHA256
d89b4b3ba02db5362d6cbf7f90b2274b3bb5607fc963338e4fce3cf049038fd3

SHA512
6bab214835ad7a246c4bc9bdd510ec9d3da490ff5e5c92437887b2b717754ae2f074213512643a13befa3455bc28c585faf4dc840fe3ca2a5ef91b80594197c3

Download Submit
memory/5300-59-0x00000218E5700000-0x00000218E5722000-memory.dmp

Filesize
136KB

Download
memory/6020-76-0x00007FFAE86E0000-0x00007FFAE91A1000-memory.dmp

Filesize
10.8MB

Download
memory/6020-0-0x00007FFAE86E3000-0x00007FFAE86E5000-memory.dmp

Filesize
8KB

Download
memory/6020-16-0x000000001B560000-0x000000001B56A000-memory.dmp

Filesize
40KB

Download
memory/6020-14-0x000000001B540000-0x000000001B548000-memory.dmp

Filesize
32KB

Download
memory/6020-15-0x000000001B550000-0x000000001B558000-memory.dmp

Filesize
32KB

Download
memory/6020-17-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/6020-13-0x000000001B530000-0x000000001B53E000-memory.dmp

Filesize
56KB

Download
memory/6020-12-0x000000001B520000-0x000000001B52A000-memory.dmp

Filesize
40KB

Download
memory/6020-11-0x000000001AE00000-0x000000001AE0C000-memory.dmp

Filesize
48KB

Download
memory/6020-9-0x000000001ADE0000-0x000000001ADE8000-memory.dmp

Filesize
32KB

Download
memory/6020-10-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

Filesize
48KB

Download
memory/6020-7-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/6020-8-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/6020-6-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/6020-4-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/6020-5-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/6020-3-0x0000000000B40000-0x0000000000B5C000-memory.dmp

Filesize
112KB

Download
memory/6020-2-0x00007FFAE86E0000-0x00007FFAE91A1000-memory.dmp

Filesize
10.8MB

Download
memory/6020-1-0x00000000000D0000-0x0000000000272000-memory.dmp

Filesize
1.6MB

Download