dcrat | ec57a5693533b024615c157ec0e3867b2eb73a65a12c20501ef8ff00ffd8f65c

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ce67df193db91ca606ca62cfd5ffef2.exe
Size

2.5MB
MD5

7ce67df193db91ca606ca62cfd5ffef2
SHA1

f02ff6e498478d340865f7f4626ec0485d091b0c
SHA256

7b562c692b687673085ad7a1d3a85ce903c930d8b17da8a09cdfc7e382b5f719
SHA512

5aa42516fe917bed086d7e89d691c01cff876cc4fe50756c4e8bdd899511b04deccb5ecd5f980ea7843f63e4547093b81a892762da17119762f20a960a9e76a2
SSDEEP

49152:KGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:KGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	2460	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	2460	schtasks.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5696	powershell.exe
1956	powershell.exe
5560	powershell.exe
1280	powershell.exe
1224	powershell.exe
924	powershell.exe
1160	powershell.exe
620	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	7ce67df193db91ca606ca62cfd5ffef2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 16 IoCs

pid	Process
3128	fontdrvhost.exe
1752	fontdrvhost.exe
2156	fontdrvhost.exe
2456	fontdrvhost.exe
1272	fontdrvhost.exe
4924	fontdrvhost.exe
4940	fontdrvhost.exe
3628	fontdrvhost.exe
4552	fontdrvhost.exe
4776	fontdrvhost.exe
6016	fontdrvhost.exe
1160	fontdrvhost.exe
4072	fontdrvhost.exe
1516	fontdrvhost.exe
2000	fontdrvhost.exe
3232	fontdrvhost.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default User\\fontdrvhost.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\winlogon.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\Videos\\fontdrvhost.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\4d7dcf6448637544ea7e961be1ad\\SearchApp.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Start Menu\\explorer.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7ce67df193db91ca606ca62cfd5ffef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4624	schtasks.exe
3132	schtasks.exe
5196	schtasks.exe
5788	schtasks.exe
1772	schtasks.exe
3696	schtasks.exe
4764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
924	powershell.exe
924	powershell.exe
1956	powershell.exe
1956	powershell.exe
5696	powershell.exe
5696	powershell.exe
1224	powershell.exe
1224	powershell.exe
1280	powershell.exe
1280	powershell.exe
1160	powershell.exe
1160	powershell.exe
620	powershell.exe
620	powershell.exe
5560	powershell.exe
5560	powershell.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
2036	7ce67df193db91ca606ca62cfd5ffef2.exe
924	powershell.exe
5696	powershell.exe
1280	powershell.exe
620	powershell.exe
1956	powershell.exe
1224	powershell.exe
1160	powershell.exe
5560	powershell.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe
3128	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	7ce67df193db91ca606ca62cfd5ffef2.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	3128	fontdrvhost.exe
Token: SeDebugPrivilege	1752	fontdrvhost.exe
Token: SeDebugPrivilege	2156	fontdrvhost.exe
Token: SeDebugPrivilege	2456	fontdrvhost.exe
Token: SeDebugPrivilege	1272	fontdrvhost.exe
Token: SeDebugPrivilege	4924	fontdrvhost.exe
Token: SeDebugPrivilege	4940	fontdrvhost.exe
Token: SeDebugPrivilege	3628	fontdrvhost.exe
Token: SeDebugPrivilege	4552	fontdrvhost.exe
Token: SeDebugPrivilege	4776	fontdrvhost.exe
Token: SeDebugPrivilege	6016	fontdrvhost.exe
Token: SeDebugPrivilege	1160	fontdrvhost.exe
Token: SeDebugPrivilege	4072	fontdrvhost.exe
Token: SeDebugPrivilege	1516	fontdrvhost.exe
Token: SeDebugPrivilege	2000	fontdrvhost.exe
Token: SeDebugPrivilege	3232	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 620	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	100
PID 2036 wrote to memory of 620	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	100
PID 2036 wrote to memory of 5696	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	101
PID 2036 wrote to memory of 5696	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	101
PID 2036 wrote to memory of 1956	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	102
PID 2036 wrote to memory of 1956	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	102
PID 2036 wrote to memory of 5560	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	103
PID 2036 wrote to memory of 5560	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	103
PID 2036 wrote to memory of 1280	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	104
PID 2036 wrote to memory of 1280	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	104
PID 2036 wrote to memory of 1224	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	105
PID 2036 wrote to memory of 1224	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	105
PID 2036 wrote to memory of 924	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	106
PID 2036 wrote to memory of 924	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	106
PID 2036 wrote to memory of 1160	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	107
PID 2036 wrote to memory of 1160	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	107
PID 2036 wrote to memory of 3128	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	117
PID 2036 wrote to memory of 3128	2036	7ce67df193db91ca606ca62cfd5ffef2.exe	117
PID 3128 wrote to memory of 5368	3128	fontdrvhost.exe	118
PID 3128 wrote to memory of 5368	3128	fontdrvhost.exe	118
PID 3128 wrote to memory of 5616	3128	fontdrvhost.exe	119
PID 3128 wrote to memory of 5616	3128	fontdrvhost.exe	119
PID 5368 wrote to memory of 1752	5368	WScript.exe	122
PID 5368 wrote to memory of 1752	5368	WScript.exe	122
PID 1752 wrote to memory of 4228	1752	fontdrvhost.exe	123
PID 1752 wrote to memory of 4228	1752	fontdrvhost.exe	123
PID 1752 wrote to memory of 4780	1752	fontdrvhost.exe	124
PID 1752 wrote to memory of 4780	1752	fontdrvhost.exe	124
PID 4228 wrote to memory of 2156	4228	WScript.exe	126
PID 4228 wrote to memory of 2156	4228	WScript.exe	126
PID 2156 wrote to memory of 4468	2156	fontdrvhost.exe	127
PID 2156 wrote to memory of 4468	2156	fontdrvhost.exe	127
PID 2156 wrote to memory of 2328	2156	fontdrvhost.exe	128
PID 2156 wrote to memory of 2328	2156	fontdrvhost.exe	128
PID 4468 wrote to memory of 2456	4468	WScript.exe	137
PID 4468 wrote to memory of 2456	4468	WScript.exe	137
PID 2456 wrote to memory of 624	2456	fontdrvhost.exe	138
PID 2456 wrote to memory of 624	2456	fontdrvhost.exe	138
PID 2456 wrote to memory of 940	2456	fontdrvhost.exe	139
PID 2456 wrote to memory of 940	2456	fontdrvhost.exe	139
PID 624 wrote to memory of 1272	624	WScript.exe	140
PID 624 wrote to memory of 1272	624	WScript.exe	140
PID 1272 wrote to memory of 4860	1272	fontdrvhost.exe	141
PID 1272 wrote to memory of 4860	1272	fontdrvhost.exe	141
PID 1272 wrote to memory of 4784	1272	fontdrvhost.exe	142
PID 1272 wrote to memory of 4784	1272	fontdrvhost.exe	142
PID 4860 wrote to memory of 4924	4860	WScript.exe	143
PID 4860 wrote to memory of 4924	4860	WScript.exe	143
PID 4924 wrote to memory of 3128	4924	fontdrvhost.exe	144
PID 4924 wrote to memory of 3128	4924	fontdrvhost.exe	144
PID 4924 wrote to memory of 4424	4924	fontdrvhost.exe	145
PID 4924 wrote to memory of 4424	4924	fontdrvhost.exe	145
PID 3128 wrote to memory of 4940	3128	WScript.exe	146
PID 3128 wrote to memory of 4940	3128	WScript.exe	146
PID 4940 wrote to memory of 5600	4940	fontdrvhost.exe	147
PID 4940 wrote to memory of 5600	4940	fontdrvhost.exe	147
PID 4940 wrote to memory of 5188	4940	fontdrvhost.exe	148
PID 4940 wrote to memory of 5188	4940	fontdrvhost.exe	148
PID 5600 wrote to memory of 3628	5600	WScript.exe	149
PID 5600 wrote to memory of 3628	5600	WScript.exe	149
PID 3628 wrote to memory of 2316	3628	fontdrvhost.exe	150
PID 3628 wrote to memory of 2316	3628	fontdrvhost.exe	150
PID 3628 wrote to memory of 3776	3628	fontdrvhost.exe	151
PID 3628 wrote to memory of 3776	3628	fontdrvhost.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe
"C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Start Menu\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Users\Default User\fontdrvhost.exe
  "C:\Users\Default User\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f46a77-35a0-4856-92bc-074cd85acf50.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5368
  - - C:\Users\Default User\fontdrvhost.exe
      "C:\Users\Default User\fontdrvhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ba5cc6c-e9ee-4687-9bab-1751ba28dcc2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d6e2bac-1ccc-49c1-a58f-0df2b493098e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6183b4b-8167-4e04-97ca-61c0f9145297.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7aff8cb3-fe26-453e-8299-c81fd1ae4bc8.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ac68eb-648a-4646-85d5-068f699282c1.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83ed7fb-f5b8-4d0a-88d9-7da160fb8d86.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f88f17-4cc2-4f59-bfaf-5ca2f65838e6.vbs"
        17⤵
        
        PID:2316
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0893709d-05f0-4c50-a05e-cd86192fedd7.vbs"
        19⤵
        
        PID:1388
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda407c3-e396-4361-9649-f8dc2559b453.vbs"
        21⤵
        
        PID:4388
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f625ff0f-c714-4172-8ea2-f90fba6b3980.vbs"
        23⤵
        
        PID:1324
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\087fa9bd-8b02-4b3d-8f8f-ab88bb4088e0.vbs"
        25⤵
        
        PID:4800
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36525fb5-27ef-4f8f-9879-7478cc1a3654.vbs"
        27⤵
        
        PID:5756
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2186b664-8966-47fa-8ad9-0887156424c1.vbs"
        29⤵
        
        PID:2964
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4397c53-d843-494a-837e-bd0c5519e5a8.vbs"
        31⤵
        
        PID:3464
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbcc963e-4458-4302-9514-2a1d26010cf0.vbs"
        33⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c610c68b-9e9c-4263-b7ea-09eedbb45052.vbs"
        33⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b5790b8-eb85-4045-b023-9d17a7acf42e.vbs"
        31⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b63ad88-6e26-45b9-8591-64faccfd15ed.vbs"
        29⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f02df28-2de6-48cd-b160-f204d98f09a7.vbs"
        27⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f140036-d7c4-4ff2-9371-ee057788ead7.vbs"
        25⤵
        
        PID:424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9da53119-d96a-4db1-89a2-612f53ce4bf6.vbs"
        23⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5db08201-7187-4977-b79a-39fd9aae4d5f.vbs"
        21⤵
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b8fb7f9-2280-47a6-ab78-e23839ea620e.vbs"
        19⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cf75ef1-331e-4cc0-a153-a22a01600302.vbs"
        17⤵
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ba77e1-5ef1-477e-8d6a-2faf9f161a8f.vbs"
        15⤵
        
        PID:5188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\754d2c04-9652-4d53-a355-62063fb4bda7.vbs"
        13⤵
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db937338-6072-4ae5-b89f-28214d446faa.vbs"
        11⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8ba3f44-ceca-41db-8054-e7d4bf7957f4.vbs"
        9⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28425f64-caaf-4dcb-b441-91b3dca698f1.vbs"
        7⤵
        
        PID:2328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6a8782-69f4-4a72-a59e-4d282b965d22.vbs"
        5⤵
        
        PID:4780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211fbbca-18b5-448a-abaf-e9b0e1052272.vbs"
    3⤵
    PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe

Filesize
2.5MB

MD5
7ce67df193db91ca606ca62cfd5ffef2

SHA1
f02ff6e498478d340865f7f4626ec0485d091b0c

SHA256
7b562c692b687673085ad7a1d3a85ce903c930d8b17da8a09cdfc7e382b5f719

SHA512
5aa42516fe917bed086d7e89d691c01cff876cc4fe50756c4e8bdd899511b04deccb5ecd5f980ea7843f63e4547093b81a892762da17119762f20a960a9e76a2

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe

Filesize
2.5MB

MD5
0da071aa48d58c24a39b0a66396808d1

SHA1
5701501e5fe692b8dccb30d3513feab8c1c1d426

SHA256
eb019f9c0f89ac0ac38086f5145ce6447939a6ca6eefb413d420c459f09387ee

SHA512
3a7b4be640d41953ebee095fff3c6877a2adff7bf4f78453fc55f3fa6417003ff69cdb53395ce80e2c49689f8914f56c0b1e438e07893ab2f5988cca16f1d6b7

Download Submit
C:\PerfLogs\RuntimeBroker.exe

Filesize
2.5MB

MD5
8171df49c646fe35e70345f3b22eacdf

SHA1
30cb429ff7015859937c868e52cdc7f824ac6e9f

SHA256
fbc48916eac79556744f17ac94e243c7190d3c9c16b2ccdb2a32ae3705d3cc4e

SHA512
1f1991c2f388438ce40c56ba7c8076ecc4ebe90c97c13f77dda9115d29ffe286f4707d1c0bb87225be01df7e2c41b2124770338d6758085c85b2fe323f4729b4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\explorer.exe

Filesize
2.5MB

MD5
0f7b33a482903cae08d34d8eaf755f31

SHA1
fcf3c8a2c4d66d9ec82e1e896cc2941d1275f054

SHA256
a1da4d7468f5e452df0e3ed74d6ee87e83e06277ffac5c4226ddec9599e23e2b

SHA512
5b98822fd946d5bce2680f213b80e97aa1ec357c76d39766325e8c75b4cce0f7f64ecdf186a2ea40a1fe1d0b4c1d515f0618eb669ccf643ccb37139f33112ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Temp\087fa9bd-8b02-4b3d-8f8f-ab88bb4088e0.vbs

Filesize
713B

MD5
8f88a6534da76521f487d18590acf022

SHA1
ce772d58292b96a645f4e451a82636341146529a

SHA256
20cbea4636b7da1891603db5205dacb2e8405ece98c29cdc0f140ca51538a8ac

SHA512
c8cad23b963c16756199dae335784e52d2551076c2ac90a549814255a14118c0f289566167ee612c3dd3f401669abfb183d1b4c0e5fec58d66b9902e8f8bd7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0893709d-05f0-4c50-a05e-cd86192fedd7.vbs

Filesize
713B

MD5
e3f415b26f38bf1e6fddfa2af17e8acb

SHA1
7807b18372f1005d0c93285c8ae4172f2ed2558f

SHA256
45f7f69841ed519562111b77d47b92f4fc300ad5548ad2f6b85564bcc94559fe

SHA512
c2311e778714ab60b8b9f760c00452a5cd454995ff304fceadf1bface0a4d4e20786a3da0eaec88a4ac46c0bc01d4e7f5244c46cb522ebf86f4402a24e9539d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ba5cc6c-e9ee-4687-9bab-1751ba28dcc2.vbs

Filesize
713B

MD5
f5bc51a0fa9acc51f6c9d25dd2b8f78b

SHA1
0d727f7e9bc8b51cda36e727e633a1264008acd1

SHA256
4e98fcccb44c55d09842cd2f317ae597ab1c4d612aefafade0dc5c3f99804913

SHA512
b4c2a72d4b60d9b5e284130709747a893914fec85e688994073110eb552b05698bb0f8a117a404cc9559f26f5b544a09428b8f3880a4f050e1a271fc40464403

Download Submit
C:\Users\Admin\AppData\Local\Temp\211fbbca-18b5-448a-abaf-e9b0e1052272.vbs

Filesize
489B

MD5
a74edd5a90b07a264f4d5b970d1d9297

SHA1
d07896dc356dc9c98b92deb088bb5e9b3a5e4525

SHA256
a6f772a8554f17f1e523c1b94e34fafd8e8575b47fe04f9c7f9fd56e9e71846f

SHA512
5a68b7932cfd0b379c13c56fa52bbd3bbc386e40bc1d5b4d9c563776bc830e9787aab0d82e79270f434b8e35cdfcaa4306510918fe3bb01802f10763e631f8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2186b664-8966-47fa-8ad9-0887156424c1.vbs

Filesize
713B

MD5
a6bb2a7d6bcdec079bd0cf976e7b1641

SHA1
c73897fd8b8c96ea58700ca7f6c693e327d63d8a

SHA256
dc33f34ab8ed5064a4333f8e5495d2b3efb4c86f387ca56b79cdd00f6729aa5d

SHA512
e07af481b96389db6fac0949e03df70b0eee01a6e7da8b07aaef7f2b044b7d16a43321d6449f1d01f7fd72257e5bfd1005bac0fe4e0fde148a9016d1b301e98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\26f46a77-35a0-4856-92bc-074cd85acf50.vbs

Filesize
713B

MD5
e57429b2ecf783c872db36590f377d84

SHA1
fadc9aa59b98e10204536fabb09ef0471cccab05

SHA256
990121e1de6b9fbba26db0a37381f1e99dfd406a759d33e1e294f8a20c5976a5

SHA512
2ac39e52dd7b041279997141c92934b488213712e9650bbe1f35459a952a550d736d651e6d0574a245531a12a61ffbb5fe1f87694703a9a102c88262c433240e

Download Submit
C:\Users\Admin\AppData\Local\Temp\36525fb5-27ef-4f8f-9879-7478cc1a3654.vbs

Filesize
713B

MD5
9e7226440db7947c85a3e2f022d0f84a

SHA1
c3ce334756ede4136b291e8f61311c43c390e23d

SHA256
ed00bb61a4e27d020bd2ad9720c0a2485da748f063143cc49a98cbd52e2451a9

SHA512
15f45edc9e0a9d1a551b9234883955ec97670d9a56e9d2f2deedb34e0200cad0642dd0c52c04d6bf18d30b5927c81d19b74c86f96d14142c323ac39c57839aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d6e2bac-1ccc-49c1-a58f-0df2b493098e.vbs

Filesize
713B

MD5
7197aece2856356b9228cfc1cafd4828

SHA1
c59965423cbe4ebebe1bf58107569eb9d59aedce

SHA256
e3d3eef86e22387e296a9c74acf03482b1837bd197df4795a7be16e08c171933

SHA512
e56f5ac5175bd035bccdb60630e7f360f936fc035639ac83afd0ae44686421f895448a06213cb8ee895fae385c573fe73c2348774d2cc5d35640bbacaa72ed0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aff8cb3-fe26-453e-8299-c81fd1ae4bc8.vbs

Filesize
713B

MD5
085fe78d7bd6060003d1bba3b4cb58bf

SHA1
70da3b5dd758bca2d601cd0cdbcf143696167ed3

SHA256
815c3efccba653a6b12fc7f37809195a2866193dcf2ec1a582b2fb3d15ad133d

SHA512
f11e380ec427f1a6dcda37131a4075a35bc07ad77329fe36ec9acbce707fd4a0b2e2f84e723241f47244209189a401e48be2dd7844dc8307aee1e3fcb3eb5149

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwxsxows.0uq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a83ed7fb-f5b8-4d0a-88d9-7da160fb8d86.vbs

Filesize
713B

MD5
556ef6a974d93df08a7d7b36f22de2e9

SHA1
0e3fecb32cabe8214b449bf2698ddbc888c96dfe

SHA256
70fb7d6d4e468501688dac2b2b6889dea5d0df6a25cb21402dcbe4dc42aa74fa

SHA512
f05bc1fa371b4733d02c6685330d62619c0383ce0816ba1a4ff4db7bcc1221dfc65ea1bfb57c6437eafa232742b541860b59a09225eaa30fa36ec4e644f44c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6183b4b-8167-4e04-97ca-61c0f9145297.vbs

Filesize
713B

MD5
8e245136e6a47a92b65709b265750a7a

SHA1
bf495964fb6ce0abdd81a011897f07c07720d6ca

SHA256
3c426bb25e904536bcb07041140ab1aef1ce4ab50151c31e056de9a2758875e0

SHA512
b10f3efc5fe178fe3c76ab51068fe53ea6336766919d6f30d57ccfac69adcd1c31ee482d7559c23c2ec2805d3f8dd721d56bf22229f233099a97ecd6994d22ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f88f17-4cc2-4f59-bfaf-5ca2f65838e6.vbs

Filesize
713B

MD5
a6ede41d74197d1d57991da0fd01555a

SHA1
56e8d3cac0c65d8e20542a00b15bfdc0d1511f12

SHA256
a102657339d960a611170e6e6dedc2b07a69a2f4407746da6876b48927efebab

SHA512
efd993b4a31645c98873f0ee32b2fb096163a6dac1cc3acf9fd921f49cfa2e573b8f75a73be2ea1f09f8348018a1028dff9bfe7767070b3614d726894c7a4276

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1ac68eb-648a-4646-85d5-068f699282c1.vbs

Filesize
713B

MD5
59d111ff7b04e0e5c0b27d24b0df1df4

SHA1
3fbd00e0c551c60462c2fc343abf322844fc7aeb

SHA256
7fedae7163f0996e2c2d645467bcd1afa2e2af20d2983bf235eceffe65b55981

SHA512
b25d8633888f45f9793d6b6d77dfe87cc7d4fab3a9f71b06f3e87f8f6d2f9210f17e1751ba6b1deb34d5a53f8eed74ccfc8e9b002d169a25c822c522dfcb0f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dda407c3-e396-4361-9649-f8dc2559b453.vbs

Filesize
713B

MD5
c8bc32feac2a8a8e718040cc65e50dc3

SHA1
f959740de56866c8fd9cc6dab63c06f9bb961315

SHA256
7669cef257f80c272ea4d0f6d073fefb711d9f1d8ea2d8ed6cf1a48b5c3e177d

SHA512
f3476a0668fae0cf787fef901157bd3c040d75d5484852b0f382c93bd73e4242d347200d542711ef6750db3caab421df75a3f98fb054cee412e0358d5919c481

Download Submit
C:\Users\Admin\AppData\Local\Temp\f625ff0f-c714-4172-8ea2-f90fba6b3980.vbs

Filesize
713B

MD5
2ae0d0652f1f0cb1a3e51a8c20ea1e2c

SHA1
399944d0405b6ad48cc960f6d59a251c52c928af

SHA256
d029bf7c6171ef4b8197acbfe4f59c04eb10fb99cfcf70b727b3fa0839041abe

SHA512
e2b293e266e21d617cd02d3e3f51c22db746f76c3e2411cad4af4db29dcf6e2b1f762f10f3450ae186f278414918e9a4e1c3bd96ac7f01be96a76f79069d590c

Download Submit
memory/1160-399-0x000000001AF20000-0x000000001AF32000-memory.dmp

Filesize
72KB

Download
memory/1272-321-0x00000000033C0000-0x0000000003416000-memory.dmp

Filesize
344KB

Download
memory/1752-285-0x00000000033D0000-0x00000000033E2000-memory.dmp

Filesize
72KB

Download
memory/1956-188-0x00000202E3AB0000-0x00000202E3AD2000-memory.dmp

Filesize
136KB

Download
memory/2000-431-0x000000001BB10000-0x000000001BB66000-memory.dmp

Filesize
344KB

Download
memory/2036-10-0x000000001B6B0000-0x000000001B6C2000-memory.dmp

Filesize
72KB

Download
memory/2036-15-0x000000001B810000-0x000000001B81A000-memory.dmp

Filesize
40KB

Download
memory/2036-11-0x000000001C010000-0x000000001C538000-memory.dmp

Filesize
5.2MB

Download
memory/2036-12-0x000000001B6E0000-0x000000001B6EA000-memory.dmp

Filesize
40KB

Download
memory/2036-13-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

Filesize
40KB

Download
memory/2036-16-0x000000001B820000-0x000000001B82C000-memory.dmp

Filesize
48KB

Download
memory/2036-8-0x000000001AFB0000-0x000000001B006000-memory.dmp

Filesize
344KB

Download
memory/2036-1-0x0000000000070000-0x00000000002F6000-memory.dmp

Filesize
2.5MB

Download
memory/2036-7-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/2036-2-0x00007FFFF45F0000-0x00007FFFF50B1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-0-0x00007FFFF45F3000-0x00007FFFF45F5000-memory.dmp

Filesize
8KB

Download
memory/2036-3-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/2036-6-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/2036-14-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/2036-5-0x000000001B650000-0x000000001B6A0000-memory.dmp

Filesize
320KB

Download
memory/2036-9-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/2036-4-0x0000000002520000-0x000000000253C000-memory.dmp

Filesize
112KB

Download
memory/2036-18-0x000000001B940000-0x000000001B94A000-memory.dmp

Filesize
40KB

Download
memory/2036-253-0x00007FFFF45F0000-0x00007FFFF50B1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-17-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/2156-297-0x000000001B8B0000-0x000000001B906000-memory.dmp

Filesize
344KB

Download
memory/2456-309-0x000000001B770000-0x000000001B7C6000-memory.dmp

Filesize
344KB

Download
memory/3128-272-0x000000001BA10000-0x000000001BA22000-memory.dmp

Filesize
72KB

Download
memory/3128-271-0x000000001B9B0000-0x000000001BA06000-memory.dmp

Filesize
344KB

Download