dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

442867883ccfe230ba518cbc7ccc1faa.exe
Size

1.6MB
MD5

442867883ccfe230ba518cbc7ccc1faa
SHA1

395dc86a807f4675c172bc5e4177aca9cb948cf7
SHA256

e73b6a783715ee86d06a645c158eb006e14b7eaed35c23d2b83afa9377fb7be1
SHA512

507d50d70abbc07b9f46d5567da998850bae6423c8a77ac7369347bb238a14c96788f9149654dda34eb3d0f5f710df8d369e3d00b52024ead4bf87a4fc9d12b3
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1328	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1328	schtasks.exe	89

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/4856-1-0x0000000000120000-0x00000000002C2000-memory.dmp	dcrat
behavioral6/files/0x000a000000024075-28.dat	dcrat
behavioral6/files/0x0009000000024151-47.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
228	powershell.exe
4532	powershell.exe
2520	powershell.exe
4628	powershell.exe
4640	powershell.exe
4760	powershell.exe
4780	powershell.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	442867883ccfe230ba518cbc7ccc1faa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	442867883ccfe230ba518cbc7ccc1faa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 8 IoCs

pid	Process
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4752	winlogon.exe
2480	winlogon.exe
2180	winlogon.exe
4076	winlogon.exe
1400	winlogon.exe
2908	winlogon.exe
5068	winlogon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXBEC0.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Microsoft Office 15\fontdrvhost.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Microsoft Office 15\fontdrvhost.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Windows Media Player\fr-FR\29c1c3cc0f7685	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXBC6C.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXBCAC.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXBF3E.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Microsoft Office 15\5b884080fd4f94	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe	442867883ccfe230ba518cbc7ccc1faa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\CSC\sppsvc.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Windows\twain_32\winlogon.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Windows\twain_32\cc11b995f2a76d	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Windows\twain_32\winlogon.exe	442867883ccfe230ba518cbc7ccc1faa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	442867883ccfe230ba518cbc7ccc1faa.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	442867883ccfe230ba518cbc7ccc1faa.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
556	schtasks.exe
3084	schtasks.exe
4792	schtasks.exe
748	schtasks.exe
3844	schtasks.exe
5012	schtasks.exe
972	schtasks.exe
3400	schtasks.exe
388	schtasks.exe
3564	schtasks.exe
4456	schtasks.exe
3140	schtasks.exe
2056	schtasks.exe
4032	schtasks.exe
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4856	442867883ccfe230ba518cbc7ccc1faa.exe
4780	powershell.exe
228	powershell.exe
4532	powershell.exe
4780	powershell.exe
228	powershell.exe
4532	powershell.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4072	442867883ccfe230ba518cbc7ccc1faa.exe
4760	powershell.exe
4760	powershell.exe
4628	powershell.exe
4628	powershell.exe
4640	powershell.exe
4640	powershell.exe
2520	powershell.exe
2520	powershell.exe
4628	powershell.exe
4760	powershell.exe
4640	powershell.exe
2520	powershell.exe
4752	winlogon.exe
2480	winlogon.exe
2180	winlogon.exe
4076	winlogon.exe
1400	winlogon.exe
1400	winlogon.exe
2908	winlogon.exe
5068	winlogon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	442867883ccfe230ba518cbc7ccc1faa.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4072	442867883ccfe230ba518cbc7ccc1faa.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4752	winlogon.exe
Token: SeDebugPrivilege	2480	winlogon.exe
Token: SeDebugPrivilege	2180	winlogon.exe
Token: SeDebugPrivilege	4076	winlogon.exe
Token: SeDebugPrivilege	1400	winlogon.exe
Token: SeDebugPrivilege	2908	winlogon.exe
Token: SeDebugPrivilege	5068	winlogon.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4780	4856	442867883ccfe230ba518cbc7ccc1faa.exe	96
PID 4856 wrote to memory of 4780	4856	442867883ccfe230ba518cbc7ccc1faa.exe	96
PID 4856 wrote to memory of 228	4856	442867883ccfe230ba518cbc7ccc1faa.exe	97
PID 4856 wrote to memory of 228	4856	442867883ccfe230ba518cbc7ccc1faa.exe	97
PID 4856 wrote to memory of 4532	4856	442867883ccfe230ba518cbc7ccc1faa.exe	98
PID 4856 wrote to memory of 4532	4856	442867883ccfe230ba518cbc7ccc1faa.exe	98
PID 4856 wrote to memory of 4072	4856	442867883ccfe230ba518cbc7ccc1faa.exe	102
PID 4856 wrote to memory of 4072	4856	442867883ccfe230ba518cbc7ccc1faa.exe	102
PID 4072 wrote to memory of 2520	4072	442867883ccfe230ba518cbc7ccc1faa.exe	115
PID 4072 wrote to memory of 2520	4072	442867883ccfe230ba518cbc7ccc1faa.exe	115
PID 4072 wrote to memory of 4628	4072	442867883ccfe230ba518cbc7ccc1faa.exe	116
PID 4072 wrote to memory of 4628	4072	442867883ccfe230ba518cbc7ccc1faa.exe	116
PID 4072 wrote to memory of 4640	4072	442867883ccfe230ba518cbc7ccc1faa.exe	117
PID 4072 wrote to memory of 4640	4072	442867883ccfe230ba518cbc7ccc1faa.exe	117
PID 4072 wrote to memory of 4760	4072	442867883ccfe230ba518cbc7ccc1faa.exe	118
PID 4072 wrote to memory of 4760	4072	442867883ccfe230ba518cbc7ccc1faa.exe	118
PID 4072 wrote to memory of 3784	4072	442867883ccfe230ba518cbc7ccc1faa.exe	123
PID 4072 wrote to memory of 3784	4072	442867883ccfe230ba518cbc7ccc1faa.exe	123
PID 3784 wrote to memory of 5108	3784	cmd.exe	125
PID 3784 wrote to memory of 5108	3784	cmd.exe	125
PID 3784 wrote to memory of 4752	3784	cmd.exe	128
PID 3784 wrote to memory of 4752	3784	cmd.exe	128
PID 4752 wrote to memory of 2724	4752	winlogon.exe	129
PID 4752 wrote to memory of 2724	4752	winlogon.exe	129
PID 4752 wrote to memory of 4068	4752	winlogon.exe	130
PID 4752 wrote to memory of 4068	4752	winlogon.exe	130
PID 2724 wrote to memory of 2480	2724	WScript.exe	132
PID 2724 wrote to memory of 2480	2724	WScript.exe	132
PID 2480 wrote to memory of 1608	2480	winlogon.exe	133
PID 2480 wrote to memory of 1608	2480	winlogon.exe	133
PID 2480 wrote to memory of 2156	2480	winlogon.exe	134
PID 2480 wrote to memory of 2156	2480	winlogon.exe	134
PID 1608 wrote to memory of 2180	1608	WScript.exe	135
PID 1608 wrote to memory of 2180	1608	WScript.exe	135
PID 2180 wrote to memory of 1652	2180	winlogon.exe	136
PID 2180 wrote to memory of 1652	2180	winlogon.exe	136
PID 2180 wrote to memory of 972	2180	winlogon.exe	137
PID 2180 wrote to memory of 972	2180	winlogon.exe	137
PID 1652 wrote to memory of 4076	1652	WScript.exe	139
PID 1652 wrote to memory of 4076	1652	WScript.exe	139
PID 4076 wrote to memory of 32	4076	winlogon.exe	140
PID 4076 wrote to memory of 32	4076	winlogon.exe	140
PID 4076 wrote to memory of 2384	4076	winlogon.exe	141
PID 4076 wrote to memory of 2384	4076	winlogon.exe	141
PID 32 wrote to memory of 1400	32	WScript.exe	146
PID 32 wrote to memory of 1400	32	WScript.exe	146
PID 1400 wrote to memory of 1960	1400	winlogon.exe	147
PID 1400 wrote to memory of 1960	1400	winlogon.exe	147
PID 1400 wrote to memory of 1508	1400	winlogon.exe	148
PID 1400 wrote to memory of 1508	1400	winlogon.exe	148
PID 1960 wrote to memory of 2908	1960	WScript.exe	152
PID 1960 wrote to memory of 2908	1960	WScript.exe	152
PID 2908 wrote to memory of 1512	2908	winlogon.exe	170
PID 2908 wrote to memory of 1512	2908	winlogon.exe	170
PID 2908 wrote to memory of 1876	2908	winlogon.exe	154
PID 2908 wrote to memory of 1876	2908	winlogon.exe	154
PID 1512 wrote to memory of 5068	1512	WScript.exe	155
PID 1512 wrote to memory of 5068	1512	WScript.exe	155
PID 5068 wrote to memory of 4528	5068	winlogon.exe	156
PID 5068 wrote to memory of 4528	5068	winlogon.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe
"C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe
  "C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\08KkwMxM7s.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5108
  - - C:\Windows\twain_32\winlogon.exe
      "C:\Windows\twain_32\winlogon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1105bab-b910-4caa-9cab-ca5c129d90f3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b83e9b8-2707-4ec7-a8de-a460405366c1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\519a8b90-19f1-4dbf-8d7c-08fbac4f1cd2.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99308fce-8eaa-4440-92f2-fddb1d17048a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\670296f7-aa1e-4cd2-807a-74e01b764e18.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\243bd939-ef39-4dc6-9234-93f00b374926.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\049ceaec-b13b-440d-a75a-016b9f0fb08f.vbs"
        17⤵
        
        PID:4528
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        18⤵
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceca4151-73a2-46dd-9116-103fa510af15.vbs"
        19⤵
        
        PID:1412
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        20⤵
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2213f2cf-2895-4bfc-b5de-ca496c933519.vbs"
        21⤵
        
        PID:2012
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        22⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0691f49-8fe7-4030-b5c1-668f91a04bbf.vbs"
        23⤵
        
        PID:4272
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        24⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87815508-563b-4bc9-b668-e7dae4ea3dc0.vbs"
        25⤵
        
        PID:4516
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        26⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6335df-46ed-47ea-b890-29f895f630e7.vbs"
        27⤵
        
        PID:3024
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        28⤵
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8945c56-d722-4a61-87c5-e29f3e4a5ca1.vbs"
        29⤵
        
        PID:3084
        
        C:\Windows\twain_32\winlogon.exe
        
        C:\Windows\twain_32\winlogon.exe
        30⤵
        
        PID:3784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ccfb87-91a5-488c-897d-ff4503ec77c9.vbs"
        31⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e7d3056-7b52-41d5-8ef4-952b7e9b3d6a.vbs"
        31⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285b2945-97a2-413f-aa70-5aa982a2e0d1.vbs"
        29⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7780cf1-23a8-49c3-a765-7f261ebefd42.vbs"
        27⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd119eda-f64b-44c8-96f4-2e9f589e3acd.vbs"
        25⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f12188b-bc37-45be-ae9f-c9abf99a1ed6.vbs"
        23⤵
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0e913dd-d8ee-412b-8ba4-ae3eb480c813.vbs"
        21⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29ecc705-4ec3-4f30-a93a-32e4529cb87c.vbs"
        19⤵
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e00b01b-5e73-470f-ac29-3a5d830f40c8.vbs"
        17⤵
        
        PID:3920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff44e363-01d7-44d9-84c7-5de492b5b7d4.vbs"
        15⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1e461e-4cd8-42ba-adad-cac4f99f7e05.vbs"
        13⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3ea6b4-300e-4d92-b649-d3695fc327d1.vbs"
        11⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7b6e97-d800-49ff-9c26-3ebe79b184be.vbs"
        9⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8643af6b-d2ba-48f3-9e1a-b807426e9d12.vbs"
        7⤵
        
        PID:2156
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5230d5dc-06f1-406b-9023-fad2aa6bf293.vbs"
        5⤵
        
        PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office 15\fontdrvhost.exe

Filesize
1.6MB

MD5
442867883ccfe230ba518cbc7ccc1faa

SHA1
395dc86a807f4675c172bc5e4177aca9cb948cf7

SHA256
e73b6a783715ee86d06a645c158eb006e14b7eaed35c23d2b83afa9377fb7be1

SHA512
507d50d70abbc07b9f46d5567da998850bae6423c8a77ac7369347bb238a14c96788f9149654dda34eb3d0f5f710df8d369e3d00b52024ead4bf87a4fc9d12b3

Download Submit
C:\Program Files\Windows Media Player\fr-FR\unsecapp.exe

Filesize
1.6MB

MD5
22992e9bd61d098175d718dae7c6cd68

SHA1
1970e0e135160eabb44d2558cd2f2158bab45358

SHA256
67ab41a456f2a865bd4af85eee6b6af55f8da2d5f0a47169c1caad611b0efc1c

SHA512
777c41e0ad4cbbd879978c4daafb708075e07d84f659608b4e163b16740dcab3093402a4f838df2a91cbea3b6e9809c9d72cf3a11921bf4b663070b64a530823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\442867883ccfe230ba518cbc7ccc1faa.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8719edbfd6e55edd2b91a5667dbd21af

SHA1
7c489dc8674d1cdb115753beceecf53e709bbc41

SHA256
e1b54baf626a4ab438440167ec2901b6267546ca838ba0feefe3b6f69d54df10

SHA512
562d6198edafe2c3bc504253aa7734f9741d2443d51d0e2188aaafe40183e2377a0aceddc594932ef8a7c95dd8e426388d966bd2cbaa77ed4d0cf3df666c151a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffaa33c7940b1713a06a430414e2fed0

SHA1
b1ade7d02b641ac9c382fad82cb1d31362fafb91

SHA256
a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e

SHA512
61913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\049ceaec-b13b-440d-a75a-016b9f0fb08f.vbs

Filesize
708B

MD5
6b475ee02321a6ca097cddbf56a7788c

SHA1
a8d5c0bd3c10e2b8b1e7a48a9e61c60ea0c86e00

SHA256
d4d06971b858d0e8baf19bab1beee6862dad21466d0d8882785dc44818326689

SHA512
0ff539bcc75c8d3db4a7e3aa3beb76c2e38da9f2491c58dc6ae1b25707aff501a37b8fda52b930a28b36192f3850662709d73fc23b64f8d488b473777b25169d

Download Submit
C:\Users\Admin\AppData\Local\Temp\08KkwMxM7s.bat

Filesize
197B

MD5
523b924b78ecab805649cf4576010b67

SHA1
f2bec91c2166a008a40f79adf56beee4b67f7397

SHA256
dcc3f2e4f2525a7174adc79ad0b6ad9ee9d673ec3a161afd0542664d393b901d

SHA512
7d742cf3fa26bf34d8bbcbbbf6445569cfc58d1d5f6c02e496f350fce6ddc85d4e34c936f30a495c330e0f448c3b63d6ea45e0a15de5fd69d29eee38ee4f5dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2213f2cf-2895-4bfc-b5de-ca496c933519.vbs

Filesize
708B

MD5
31544264250d16e4f4a6d173ee3b9347

SHA1
3e1b5b95e7b4ab3fc066bbc89fe746cc21564f13

SHA256
e64bea205ae7a68ccbb42dd385b986e540628895d50789c07407927e94748896

SHA512
910f3928020d770ff1fefff79a215f233dd4222f6f2919c0c26351c2427baf77fa3692172afe22ae6f31f5e901849593c97ec61aa67a2ba0d76b2b21e221393b

Download Submit
C:\Users\Admin\AppData\Local\Temp\243bd939-ef39-4dc6-9234-93f00b374926.vbs

Filesize
708B

MD5
e3d024fd94356a027337180c4465887f

SHA1
c1743e54e4fbd765aebd339768b5cc44bde810c5

SHA256
01a67d70d60275f62f9a24c3bcec66b803b431d34330950dbb0da5d970ce550a

SHA512
b03b1e16926ddc197d6c44846ac0d41c0c61eebeb82f14814fdba63e8532ea3cb3fd1e59b397dc106ea110c2d241583038a720927bdcf38ef446f1c341bbeee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\519a8b90-19f1-4dbf-8d7c-08fbac4f1cd2.vbs

Filesize
708B

MD5
0c9794faefe81f484c3f258924b1a610

SHA1
d2dd2479dc7f971e181d7860ab2d36af12f74086

SHA256
845e62135be5ef1272ea09bbb6c2a65c1debcc72120599996778636fe9bbaa05

SHA512
2b390a0111ff9b4c10ae024b406a4989ccacf33dd3ff095784a38f4198f7ce110a53500d2f0f35bace99ae28b4872ea9165133694ee1c406d40cc28e171bfbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5230d5dc-06f1-406b-9023-fad2aa6bf293.vbs

Filesize
484B

MD5
35696809768e836c89ce088a0fc78dfc

SHA1
86c3ffe27525edb677c65536f7b20c8353f00d1d

SHA256
90293ab0237c0ad28e3e121d8c0357910fa303433229637673aca7e32e656e2f

SHA512
7f48736bea9b25984626dae67e0f826cb57dfaba1e303a628bfc4da327fbb5d98d0de1e1bf74f6ecc00b5d93702223821a9d9a4ccf5c690ba74f80c1d4324d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b83e9b8-2707-4ec7-a8de-a460405366c1.vbs

Filesize
708B

MD5
ba70907aec75d56721720a5b15652ed0

SHA1
6f481b40932ba348488789c47d331b6b21607224

SHA256
c35f4515a1acbba926e5370e8534e1124eb99aa340ab87097f4c8378cb6f36c7

SHA512
5ce7df05132ae116503b32185847154efd3da215b739df74529ed83c85518fbbf2271148cde79b59b4ad53801ae50f29cdac8f9fd2a15f632f278ac183b9a8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\670296f7-aa1e-4cd2-807a-74e01b764e18.vbs

Filesize
708B

MD5
48014c11977ac0d7a4b8f8e7b9bf1fb6

SHA1
84b4634010de736bb38b2b5bd8a75d34de13728d

SHA256
482173a79c6d770c11ed73e65711d4e1ac4c394e628801005d3a515d9da38062

SHA512
5f0d7ad3f8bd69328ad11cab9706508eaeea3e0f64835866445aaa901870dcfac0a06ebe1c4d5aab77b0c587b18d9339b66ec6afd8f0427dc337cff333731de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\87815508-563b-4bc9-b668-e7dae4ea3dc0.vbs

Filesize
708B

MD5
7a659679477925746422acca7e62091c

SHA1
cf3853cf36c244eed7c69849470d5da2af97ab33

SHA256
df61d3f23f47167d0d172fae9826edfd5cadd5753d1072bb376a84de531192e0

SHA512
08029bc83597a53be84b0503a6b84d3cb84b04ec25e9bf9292ae84b27a401153713ea3d9739ef71de9e71c88e39bc1a440a4a1cc22edb45f4e149a2b308ca292

Download Submit
C:\Users\Admin\AppData\Local\Temp\99308fce-8eaa-4440-92f2-fddb1d17048a.vbs

Filesize
708B

MD5
8d87f24befb1caf9c80107d1568d63a3

SHA1
3235f1f1ada42c31592f6e82ad25c413c2062bf7

SHA256
8ca487fe073d74c85ff7a2dfa0105f248b22adf3adbd07fe1d57fc418385eb3e

SHA512
817cab6bdd39bca94b95dfd5feb95f4a09ba4cb9758cbb11be68bdda4c1d3e46119cde5548fd29113dc78c61bcce5dcae4439618a717fc9756f958e4c8e8f615

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_robznv5i.0xn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1105bab-b910-4caa-9cab-ca5c129d90f3.vbs

Filesize
708B

MD5
104bbb91079ede9e699bf1bfd79f7760

SHA1
e49ec7ce8c6bc21b8f46db2ab8086169d3f90fd1

SHA256
f5d8da9ecafe1f2e73ede8aa57661ad8f657dafd6e036120e9a7965bcd4ad97b

SHA512
3d5b528ca89f0f1b1ec2cb61ac8000e4cdca2ef42c20e039a841576606dd2fb97c9797708c7e52f8eacf74085e8babb29474ccef7e0b2a911305544357d87d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc6335df-46ed-47ea-b890-29f895f630e7.vbs

Filesize
708B

MD5
62e5c1673eb8f077f2c81f95f90bde1e

SHA1
1375f321ef7504e0bb486dd948ab377235bb6c0b

SHA256
ea2e2d178aeeaf07ef8d9de5b0ec62a9fc292286272140091b4959ca3a58e90b

SHA512
8d7200f17b1085f4cfd7d6908717e47a4fe2436f51a31deddca0e3870f9982228891fa08631d5468dd0890c1e970038e019cfe413a7b75c143742ca847446f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceca4151-73a2-46dd-9116-103fa510af15.vbs

Filesize
708B

MD5
7f62cdb17e629838d75c42d65a22a6e3

SHA1
5323894de682e88f3a168a8f2b3c52234f116ca6

SHA256
383a4449f4c1f1c700acef40525840f047a3edd2e7e823d5f3c7dcde5d7b9d3a

SHA512
c89ec120b65e6d56740ea38aa491e4410f2d46510c95e8ba117c5a378e1148eb2849d0d6fd287b5d6489b7642f94abdccbc2f9c6fab93d8d8722dd71e4d18545

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0691f49-8fe7-4030-b5c1-668f91a04bbf.vbs

Filesize
708B

MD5
d0052beb1baf77aa7c800bd578f8c1c3

SHA1
22215d6b2af5b48e61bde94f6543cbae808f4525

SHA256
8f8a04c007df710e2de040ee8d481c8878b59b0472aab683e05486c0f659f8c8

SHA512
babbb63ee3f23d763df7346898a6e8ec5c31060d974dd2aff3f2530ae0e77227f06a03fec9a5bef736f07949f0a55f8348df19630a507d19fb34a47503ec44d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8945c56-d722-4a61-87c5-e29f3e4a5ca1.vbs

Filesize
708B

MD5
8895f608e0024713060e6a3df51c478a

SHA1
367d0cf9b8b3b27efffacf7c09aef01620dbe7b2

SHA256
4ad2fb989dab813437a770a5463240b02e78edd9738ddfc608ef7472a779ee87

SHA512
54cd70aef91d4b1627dbae5fccbb8b794d0624286fa7c48a6cea4386fe56038c9fbe7505a46bfb4f840f2df1c312a8476575501443e334e4a470512323f40235

Download Submit
memory/4780-60-0x0000027CCC560000-0x0000027CCC582000-memory.dmp

Filesize
136KB

Download
memory/4856-8-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/4856-11-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/4856-7-0x000000001AF10000-0x000000001AF18000-memory.dmp

Filesize
32KB

Download
memory/4856-10-0x000000001B550000-0x000000001B55C000-memory.dmp

Filesize
48KB

Download
memory/4856-17-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/4856-6-0x000000001AEF0000-0x000000001AF06000-memory.dmp

Filesize
88KB

Download
memory/4856-0-0x00007FFF4D5F3000-0x00007FFF4D5F5000-memory.dmp

Filesize
8KB

Download
memory/4856-4-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/4856-89-0x00007FFF4D5F0000-0x00007FFF4E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-9-0x000000001B540000-0x000000001B548000-memory.dmp

Filesize
32KB

Download
memory/4856-5-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/4856-3-0x000000001AEC0000-0x000000001AEDC000-memory.dmp

Filesize
112KB

Download
memory/4856-16-0x000000001B7B0000-0x000000001B7BA000-memory.dmp

Filesize
40KB

Download
memory/4856-2-0x00007FFF4D5F0000-0x00007FFF4E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-15-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/4856-14-0x000000001B790000-0x000000001B798000-memory.dmp

Filesize
32KB

Download
memory/4856-1-0x0000000000120000-0x00000000002C2000-memory.dmp

Filesize
1.6MB

Download
memory/4856-13-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/4856-12-0x000000001B570000-0x000000001B57A000-memory.dmp

Filesize
40KB

Download