dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86513494c7861a5a0c9f1c0fb478e36d.exe
Size

2.5MB
MD5

86513494c7861a5a0c9f1c0fb478e36d
SHA1

0e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA256

80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512

e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
SSDEEP

49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4724	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	4724	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4724	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4724	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4724	schtasks.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
540	powershell.exe
4552	powershell.exe
3272	powershell.exe
4908	powershell.exe
1668	powershell.exe
2644	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	86513494c7861a5a0c9f1c0fb478e36d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 15 IoCs

pid	Process
4440	smss.exe
844	smss.exe
4048	smss.exe
4116	smss.exe
208	smss.exe
1672	smss.exe
5108	smss.exe
1908	smss.exe
3300	smss.exe
2728	smss.exe
4404	smss.exe
3456	smss.exe
5044	smss.exe
3304	smss.exe
3332	smss.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Windows\\System32\\find\\BackgroundTransferHost.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\smss.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\dfe2e59cddd00040f555dab607351a1d\\wininit.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\jscript9\\fontdrvhost.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\find\BackgroundTransferHost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\find\BackgroundTransferHost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\find\766532ba8a13d2	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\jscript9\fontdrvhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\find\RCX5650.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\find\RCX5651.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\jscript9\fontdrvhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\jscript9\5b884080fd4f94	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\jscript9\RCX5D0C.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\jscript9\RCX5D1D.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\69ddcba757bf72	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX5874.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX5875.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\22eafd247d37c3	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\RCX5F9F.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\RCX5FA0.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	86513494c7861a5a0c9f1c0fb478e36d.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1296	schtasks.exe
3404	schtasks.exe
852	schtasks.exe
1692	schtasks.exe
5040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2300	86513494c7861a5a0c9f1c0fb478e36d.exe
2644	powershell.exe
2644	powershell.exe
540	powershell.exe
540	powershell.exe
1668	powershell.exe
1668	powershell.exe
4552	powershell.exe
4552	powershell.exe
3272	powershell.exe
3272	powershell.exe
540	powershell.exe
1668	powershell.exe
4908	powershell.exe
4908	powershell.exe
4552	powershell.exe
2644	powershell.exe
4908	powershell.exe
3272	powershell.exe
4440	smss.exe
4440	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe
844	smss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	86513494c7861a5a0c9f1c0fb478e36d.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	4440	smss.exe
Token: SeDebugPrivilege	844	smss.exe
Token: SeDebugPrivilege	4048	smss.exe
Token: SeDebugPrivilege	4116	smss.exe
Token: SeDebugPrivilege	208	smss.exe
Token: SeDebugPrivilege	1672	smss.exe
Token: SeDebugPrivilege	5108	smss.exe
Token: SeDebugPrivilege	1908	smss.exe
Token: SeDebugPrivilege	3300	smss.exe
Token: SeDebugPrivilege	2728	smss.exe
Token: SeDebugPrivilege	4404	smss.exe
Token: SeDebugPrivilege	3456	smss.exe
Token: SeDebugPrivilege	5044	smss.exe
Token: SeDebugPrivilege	3304	smss.exe
Token: SeDebugPrivilege	3332	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4908	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	99
PID 2300 wrote to memory of 4908	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	99
PID 2300 wrote to memory of 3272	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	100
PID 2300 wrote to memory of 3272	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	100
PID 2300 wrote to memory of 4552	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	125
PID 2300 wrote to memory of 4552	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	125
PID 2300 wrote to memory of 540	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	102
PID 2300 wrote to memory of 540	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	102
PID 2300 wrote to memory of 2644	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	103
PID 2300 wrote to memory of 2644	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	103
PID 2300 wrote to memory of 1668	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	104
PID 2300 wrote to memory of 1668	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	104
PID 2300 wrote to memory of 4824	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	110
PID 2300 wrote to memory of 4824	2300	86513494c7861a5a0c9f1c0fb478e36d.exe	110
PID 4824 wrote to memory of 4904	4824	cmd.exe	113
PID 4824 wrote to memory of 4904	4824	cmd.exe	113
PID 4824 wrote to memory of 4440	4824	cmd.exe	116
PID 4824 wrote to memory of 4440	4824	cmd.exe	116
PID 4440 wrote to memory of 2844	4440	smss.exe	117
PID 4440 wrote to memory of 2844	4440	smss.exe	117
PID 4440 wrote to memory of 2268	4440	smss.exe	118
PID 4440 wrote to memory of 2268	4440	smss.exe	118
PID 2844 wrote to memory of 844	2844	WScript.exe	120
PID 2844 wrote to memory of 844	2844	WScript.exe	120
PID 844 wrote to memory of 4404	844	smss.exe	121
PID 844 wrote to memory of 4404	844	smss.exe	121
PID 844 wrote to memory of 3264	844	smss.exe	122
PID 844 wrote to memory of 3264	844	smss.exe	122
PID 4404 wrote to memory of 4048	4404	WScript.exe	123
PID 4404 wrote to memory of 4048	4404	WScript.exe	123
PID 4048 wrote to memory of 2716	4048	smss.exe	124
PID 4048 wrote to memory of 2716	4048	smss.exe	124
PID 4048 wrote to memory of 4552	4048	smss.exe	125
PID 4048 wrote to memory of 4552	4048	smss.exe	125
PID 2716 wrote to memory of 4116	2716	WScript.exe	132
PID 2716 wrote to memory of 4116	2716	WScript.exe	132
PID 4116 wrote to memory of 532	4116	smss.exe	135
PID 4116 wrote to memory of 532	4116	smss.exe	135
PID 4116 wrote to memory of 3068	4116	smss.exe	136
PID 4116 wrote to memory of 3068	4116	smss.exe	136
PID 532 wrote to memory of 208	532	WScript.exe	140
PID 532 wrote to memory of 208	532	WScript.exe	140
PID 208 wrote to memory of 2300	208	smss.exe	141
PID 208 wrote to memory of 2300	208	smss.exe	141
PID 208 wrote to memory of 3056	208	smss.exe	142
PID 208 wrote to memory of 3056	208	smss.exe	142
PID 2300 wrote to memory of 1672	2300	WScript.exe	143
PID 2300 wrote to memory of 1672	2300	WScript.exe	143
PID 1672 wrote to memory of 3380	1672	smss.exe	144
PID 1672 wrote to memory of 3380	1672	smss.exe	144
PID 1672 wrote to memory of 408	1672	smss.exe	145
PID 1672 wrote to memory of 408	1672	smss.exe	145
PID 3380 wrote to memory of 5108	3380	WScript.exe	146
PID 3380 wrote to memory of 5108	3380	WScript.exe	146
PID 5108 wrote to memory of 4988	5108	smss.exe	147
PID 5108 wrote to memory of 4988	5108	smss.exe	147
PID 5108 wrote to memory of 4480	5108	smss.exe	148
PID 5108 wrote to memory of 4480	5108	smss.exe	148
PID 4988 wrote to memory of 1908	4988	WScript.exe	150
PID 4988 wrote to memory of 1908	4988	WScript.exe	150
PID 1908 wrote to memory of 3232	1908	smss.exe	151
PID 1908 wrote to memory of 3232	1908	smss.exe	151
PID 1908 wrote to memory of 852	1908	smss.exe	152
PID 1908 wrote to memory of 852	1908	smss.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe
"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\find\BackgroundTransferHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\jscript9\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mFL6E8qZp6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4904
- - C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
    "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b079c04-495c-4fe2-89c9-0b4f5793c231.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7da15118-0976-4e0a-a9f1-b965e34d52c0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5274ed18-70d5-4308-a1d8-e3647fe3a1cb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\050b4428-5ebe-4008-9300-ddf37e21ee63.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d88a2028-a8cd-4a54-8053-2502ddef464f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0ae911-fed0-4eaa-8b65-261a0238411a.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fccf1bd-62b2-4d22-bc98-342461ae6c07.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c85b7a6-a976-433c-a16b-7197a39f1178.vbs"
        18⤵
        
        PID:3232
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb725a7-79c3-4cc7-961b-6e31bf2fad86.vbs"
        20⤵
        
        PID:3316
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63154a15-f709-4595-911a-fd039d2378c6.vbs"
        22⤵
        
        PID:4904
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35b94402-8719-4b05-973e-7f164024596d.vbs"
        24⤵
        
        PID:3600
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e926df7-3fb8-4c55-ac7b-3e42001e64ae.vbs"
        26⤵
        
        PID:2752
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3361069a-fdc9-4472-b8f5-c34bf11a0a4a.vbs"
        28⤵
        
        PID:3280
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a36dce7-dcf7-48bf-a9f6-905165cd478a.vbs"
        30⤵
        
        PID:4976
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daeb5052-745b-450e-b314-781d798150f5.vbs"
        32⤵
        
        PID:4904
        
        C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"
        33⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2123606a-d3a9-4caa-a2e8-f52de713c68c.vbs"
        34⤵
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85832a49-76e8-4696-967c-78deed286755.vbs"
        34⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89817f68-b912-4a93-ac21-5ee65f8f8f97.vbs"
        32⤵
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137d256d-a172-4b94-93ce-53b8cbfe3d26.vbs"
        30⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c3d366-512d-442a-bc30-bdbd51dd3df2.vbs"
        28⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f23059-b9a2-414e-92a9-30ca54c0fc78.vbs"
        26⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb0dcd2-41c4-4f08-ae34-059dfcb893c6.vbs"
        24⤵
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b598749-c560-4bfe-9a87-6e91aab51894.vbs"
        22⤵
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\382e081c-c7f8-436b-8715-a55aa96b4a88.vbs"
        20⤵
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2330eb04-9995-4531-b7ab-d214ec303eee.vbs"
        18⤵
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\069d5e4a-3e3d-4184-b9bc-3d59fe78a4e3.vbs"
        16⤵
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f969f2-50af-4d42-9df2-4c440aa79148.vbs"
        14⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf9da48-80b8-48e7-87bc-b92f7bb82f3a.vbs"
        12⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2119cd77-2327-4f8c-9e99-8f3caa6e64f0.vbs"
        10⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab201df-4dc6-43fb-9713-aff038ee7190.vbs"
        8⤵
        
        PID:4552
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb51fc8-9a61-44f6-a329-c3cbff5187b4.vbs"
        6⤵
        
        PID:3264
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17530c8-f96b-41e3-8620-9974a796ac59.vbs"
      4⤵
      PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Windows\System32\find\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\jscript9\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
842369b08704bbddf9de4d90016e58dd

SHA1
8bc3da656c08abbc14c58201e65b0dc823964bea

SHA256
cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808

SHA512
8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc1d0291bbd8e80c9703fb1f4b4d14dc

SHA1
084009b8f1e67e03c9b7333293fbc00d3617948e

SHA256
4a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a

SHA512
75672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffaa33c7940b1713a06a430414e2fed0

SHA1
b1ade7d02b641ac9c382fad82cb1d31362fafb91

SHA256
a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e

SHA512
61913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\050b4428-5ebe-4008-9300-ddf37e21ee63.vbs

Filesize
736B

MD5
f06f56731073316ecc7ccd04b9588213

SHA1
d4218b05ed7131a215fd59522a4fcd69dc2fe201

SHA256
a4fa4915f261ef4c56867bb10322e0eb8767b0860a5272b873ff90016220f458

SHA512
ec7e217073f8475ab7e114f27168e2d202366987b2afef77979186453519a426f11ca75ce38521aec511b209ee0d0a42e3228424d4d4db6c3adc6cb30074b256

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a36dce7-dcf7-48bf-a9f6-905165cd478a.vbs

Filesize
736B

MD5
a017c74aaed5103f69d494b135e0d8c2

SHA1
f39a5ee4d83d306aabfdf3a33fe282751cbc1065

SHA256
1ed7e4cf85ecfbb194e0aa1dfc73a78a5cbbf4df09dbc8f82230afb85e83c15c

SHA512
5fea17e5929bf157a3660b805556e844dd19306f3d737f37fdcc28949c75a96b35b5584ec96bf28cf3ea213a6fd8a5e3540c2a78887140e4d83d67c1ce759be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e926df7-3fb8-4c55-ac7b-3e42001e64ae.vbs

Filesize
736B

MD5
8a919a3fb0657f24e8e4b471ddfded41

SHA1
2340e8388e9f7b3da06a1ac7b0ae633bd9f67580

SHA256
5a9cca5a05acfdcb6c911551071ca71d88db19643a145d70b17a7fc18ae42a06

SHA512
786a769e93a9b3195b78971ca192130d2f11029a5fb8e5257f4e4577d37fc58b2abe8a7e52cdd86f75c428644cb12453d66794dfe67381b683f1fe4f71afe46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3361069a-fdc9-4472-b8f5-c34bf11a0a4a.vbs

Filesize
736B

MD5
14d87f2cbed8b9cc2d90a772a4809e62

SHA1
3ddb9a5004309b93dae001b9065834d5724ba369

SHA256
a3921bb8b34ebed286dce76ebad523e59b0e9b31791d0ce07a34a98137b9450b

SHA512
544f27061490e1b28befa4d03ec62d5e8112a6bd0f6860d7fc785792127d5f85d94bc6fb933d40b882f03c65c06361f04653b7ac83180a43502fb36ba7037e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\35b94402-8719-4b05-973e-7f164024596d.vbs

Filesize
736B

MD5
e8c8403edf0739770c2d508c6cc239d7

SHA1
97a94cae9ea81d24ae3b0dfca25663f9d7c1a022

SHA256
e3bcfe1cbc299166eb46f097f3007b89204227990b246b0f76c9ef56f2730fd5

SHA512
7c30900b5da0a67f2e9d2ffd39b28ba39f3acd8a641cc61dcfbb584e2bc21284d148b4d88db0d66c0027e2ec23377f8e1e29e84e321ef0a15caeb4160f1ab901

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fccf1bd-62b2-4d22-bc98-342461ae6c07.vbs

Filesize
736B

MD5
f3e45a68be423b21b984c9bf573472ec

SHA1
97a37fa9c5c7a6489df164f9e9c1441957e5c560

SHA256
9a3d6e0837750736b15f385fb70ebb488d124351bbdea8072726d3cc163c87b3

SHA512
c0da85be1e0db312982684f0fe0808fec14c06b9537403a0f3b67af731775bc4813b71f2558b54021750770b8cbdd07e42ff923d4722cc3b8c4ad4cd8c6b91d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5274ed18-70d5-4308-a1d8-e3647fe3a1cb.vbs

Filesize
736B

MD5
25a71243b4e954c1d5114b476fe0440d

SHA1
294c1f33d78c42cf68697eb4ef2ba8a72faa5ba0

SHA256
6cae87277f671a7f56abc95e463238f7495c4bafe79a25a827391055786a6e36

SHA512
c0ab211a12808c99e6e5cfe74e7b4e3d03003cf40acf9cc0f6be1cc1d96ec28f419c42c020bc8c8fe41bf6ff35218ae686b3fd60e6fedf084b099c4fa7eb75d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\63154a15-f709-4595-911a-fd039d2378c6.vbs

Filesize
736B

MD5
b5dea2c2dbfac503c01427bf2be71b0f

SHA1
c6f15dbf1254d7a1628229c7bb5b73183d5d47fe

SHA256
3c119f50c1c781591b9f292db857f37742144b43bba51fde8958cc5d5e2991ac

SHA512
a110389da241973d7e5561c9571f2fc82da5a6a6152df15594212e8a8a30308fee4a96be87ed62ad9d4b73c29f1a919c21289bd83c0b652ca847b4520e6bf799

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b079c04-495c-4fe2-89c9-0b4f5793c231.vbs

Filesize
736B

MD5
308b20a7912151808054a5191011768e

SHA1
92d52972e9b08b31d01bd4780f8fc0a64a9fff36

SHA256
74840a166dba0e08d38f6afc33bfd74947730b47c81019c459f5e6994bd5ca4d

SHA512
aa246dd7996ac6a1c8c4467f8316a6c6de72088ee40a12a259f00c88c6c2f464844ec36da7c079ad5761973cfca24e295a04659cd75251e5a4e56ae4ddf3006f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7da15118-0976-4e0a-a9f1-b965e34d52c0.vbs

Filesize
735B

MD5
d886ecbacd7f48f03a5c83f00c328b26

SHA1
250c620f05a1ccd275f17922994556bcbd674976

SHA256
7fec8a0ed666bddb79f8ccb5a005bbaee0e4d5f768b61dd75a4f8859fb4c04fb

SHA512
80476137e87f87d007a6ed5f46a6a236a49f98c04e652c2bcae20671651526222a94113ba335183494f8d86c28c213bf3f27eefa209eaffb4f050388191f2245

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c85b7a6-a976-433c-a16b-7197a39f1178.vbs

Filesize
736B

MD5
3cfba908f7deebe028447c6ded6f47d0

SHA1
edf4ef8a03e5b020bc0a97ee2f4817951e59bd6e

SHA256
e8ccc33ccbd79dc7eb35b3ea44ec6f3065c2e4ec9d749e4dcdb59de031c11cf8

SHA512
51b21a2b49b4f384941710d2fbcdfa3c8cb15d1f1ced58469fe29a8b6263c88bb89b7265327cc2f1960958f7e878a1c5159fd33dc77a8cdcf40609ed2bc859ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b0ae911-fed0-4eaa-8b65-261a0238411a.vbs

Filesize
736B

MD5
42489eba2ca1dac99f1154f2ae7de265

SHA1
8ab19186f062bac870318a732e967b8b0b176a81

SHA256
9aeb72699784ae522aaab50d33dd97fb5de167709a1f55a3d9a67a469bb4a141

SHA512
1be29b4a6d7decd8df1b835df43405028a5e69226ad0f6451bb72359733d31e6bcebbd0e09b960fbdc452ca36e2d6840c9d25049b35d8348bb4e7bbaa2c300e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fb725a7-79c3-4cc7-961b-6e31bf2fad86.vbs

Filesize
736B

MD5
6403e133afe39914ae06ce0ef3d9aeab

SHA1
c191eb1e43edae4820d3336413c74306407e7146

SHA256
da6f44df0354602eaa0987b49456cfa5ab71b0bdd667aa71b28b7b699923c8aa

SHA512
bdf7979c8620c551286910376a4893cd764795fb689d4d7aa1f415fe24b31326a090651cebdbc30f2ab899ddca9e1ee6890eb5d708badb374da97391a094fb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jej2fs1.r3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d88a2028-a8cd-4a54-8053-2502ddef464f.vbs

Filesize
735B

MD5
d9744e0c3769071d667d9f8e89bd2b1a

SHA1
dbe3e95cab238847f52f01131f6fc39bdafb124a

SHA256
94ba1a5e7d8d24c4af91942f62123c883224dd46030657b0d48c2acb86e111fe

SHA512
5ac1181296cc5acf89a57cbaad9f126d2b98b148b4f766c2c320d42f9b790117422f726d6dd1c92a893dd05982d42e54b34202adf49ef7bafde8d28b0a2b51d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f17530c8-f96b-41e3-8620-9974a796ac59.vbs

Filesize
512B

MD5
2439ce820018d347626820aa745fc2e3

SHA1
27b607fadb3c1ddd6978c0edfd2bc6986925e2c3

SHA256
7edcfdf752d9a3a728cdb8bac2acc1e81e7b7dcac68c225dbc1ca70fb03dcf3d

SHA512
7a51abcacb00740e1eef50f00accaca1bdacf26c31c0452dedf7ecc43bfda45c82945b5f3bd08f19ea82e1eab5261baa2ac19468ab8a267a5624ffb64eb6711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFL6E8qZp6.bat

Filesize
224B

MD5
7b2bbe5dea5efeec98583261a7af3ee1

SHA1
064e36db719739aa588b545a23d6eb3f2df0da4e

SHA256
aafd29d9138b2aeb26de83ab4c6fec582ec73cd47af6c6cc81e0124bd6274d7b

SHA512
ef0cec5c507a6d7c103d8f50ba22867f0987c47c17af8dbaf394159c811d69c588ac34558b30718fe797b5169802837db04edb675a278d5dba534cc1e790a28b

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe

Filesize
2.5MB

MD5
86513494c7861a5a0c9f1c0fb478e36d

SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f

SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

Download Submit
memory/540-107-0x000001E079450000-0x000001E079472000-memory.dmp

Filesize
136KB

Download
memory/2300-15-0x000000001BE00000-0x000000001BE0A000-memory.dmp

Filesize
40KB

Download
memory/2300-0-0x00007FF8AA1C3000-0x00007FF8AA1C5000-memory.dmp

Filesize
8KB

Download
memory/2300-11-0x000000001C450000-0x000000001C978000-memory.dmp

Filesize
5.2MB

Download
memory/2300-12-0x000000001B410000-0x000000001B41A000-memory.dmp

Filesize
40KB

Download
memory/2300-1-0x0000000000530000-0x00000000007B6000-memory.dmp

Filesize
2.5MB

Download
memory/2300-5-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/2300-4-0x00000000028E0000-0x00000000028FC000-memory.dmp

Filesize
112KB

Download
memory/2300-13-0x000000001B430000-0x000000001B43A000-memory.dmp

Filesize
40KB

Download
memory/2300-108-0x00007FF8AA1C0000-0x00007FF8AAC81000-memory.dmp

Filesize
10.8MB

Download
memory/2300-16-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

Filesize
48KB

Download
memory/2300-17-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

Filesize
32KB

Download
memory/2300-6-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2300-18-0x000000001BCF0000-0x000000001BCFA000-memory.dmp

Filesize
40KB

Download
memory/2300-14-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/2300-9-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

Filesize
32KB

Download
memory/2300-10-0x000000001B400000-0x000000001B412000-memory.dmp

Filesize
72KB

Download
memory/2300-2-0x00007FF8AA1C0000-0x00007FF8AAC81000-memory.dmp

Filesize
10.8MB

Download
memory/2300-8-0x000000001BB00000-0x000000001BB56000-memory.dmp

Filesize
344KB

Download
memory/2300-3-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/2300-7-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2728-272-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/4404-284-0x000000001C3B0000-0x000000001C406000-memory.dmp

Filesize
344KB

Download
memory/4440-171-0x000000001CEE0000-0x000000001CF36000-memory.dmp

Filesize
344KB

Download