dcrat | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
126s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a73951d8730beba8a769c882801bd767.exe
Size

1.6MB
MD5

a73951d8730beba8a769c882801bd767
SHA1

d7a91fcad4c3477b2bb17168404b015249dc9925
SHA256

fd491ef92bb1de6bc677badbca3c26699d3cd713e5803c82757768965be9ded3
SHA512

12f5bb32eba7a028f0ef7dc29d6d75efb5460ce34209c677539daa83cadf1c689961a8a076a7d8acc90479fba8fc526ee1e83f0e19af5d784525425a5e15c6e6
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3288	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3288	schtasks.exe	90

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/6064-1-0x0000000000990000-0x0000000000B32000-memory.dmp	dcrat
behavioral10/files/0x00070000000242ac-26.dat	dcrat
behavioral10/files/0x00070000000242b0-52.dat	dcrat
behavioral10/files/0x00090000000242a9-74.dat	dcrat
behavioral10/memory/1236-168-0x00000000005D0000-0x0000000000772000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6116	powershell.exe
2172	powershell.exe
712	powershell.exe
5552	powershell.exe
3112	powershell.exe
2484	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	a73951d8730beba8a769c882801bd767.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 14 IoCs

pid	Process
1236	csrss.exe
4864	csrss.exe
2640	csrss.exe
5812	csrss.exe
1228	csrss.exe
4280	csrss.exe
6000	csrss.exe
4760	csrss.exe
708	csrss.exe
1120	csrss.exe
2916	csrss.exe
3132	csrss.exe
4468	csrss.exe
4544	csrss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\f3b6ecef712a24	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX674D.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX67BC.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX6A2E.tmp	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Uninstall Information\RuntimeBroker.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX6A2F.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Crashpad\reports\spoolsv.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Crashpad\reports\spoolsv.exe	a73951d8730beba8a769c882801bd767.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\6ccacd8608530f	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\RCX6033.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\RCX6034.tmp	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe	a73951d8730beba8a769c882801bd767.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	a73951d8730beba8a769c882801bd767.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4472	schtasks.exe
4604	schtasks.exe
3364	schtasks.exe
4748	schtasks.exe
4548	schtasks.exe
6000	schtasks.exe
4560	schtasks.exe
1820	schtasks.exe
1220	schtasks.exe
4420	schtasks.exe
4556	schtasks.exe
4764	schtasks.exe
4788	schtasks.exe
3916	schtasks.exe
4456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
6064	a73951d8730beba8a769c882801bd767.exe
6064	a73951d8730beba8a769c882801bd767.exe
6064	a73951d8730beba8a769c882801bd767.exe
6116	powershell.exe
6116	powershell.exe
2172	powershell.exe
2172	powershell.exe
5552	powershell.exe
5552	powershell.exe
3112	powershell.exe
3112	powershell.exe
712	powershell.exe
712	powershell.exe
2484	powershell.exe
2484	powershell.exe
5552	powershell.exe
2484	powershell.exe
2172	powershell.exe
6116	powershell.exe
712	powershell.exe
3112	powershell.exe
1236	csrss.exe
4864	csrss.exe
2640	csrss.exe
5812	csrss.exe
5812	csrss.exe
1228	csrss.exe
1228	csrss.exe
4280	csrss.exe
4280	csrss.exe
6000	csrss.exe
6000	csrss.exe
4760	csrss.exe
4760	csrss.exe
708	csrss.exe
708	csrss.exe
1120	csrss.exe
2916	csrss.exe
3132	csrss.exe
4468	csrss.exe
4544	csrss.exe
4544	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	6064	a73951d8730beba8a769c882801bd767.exe
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1236	csrss.exe
Token: SeDebugPrivilege	4864	csrss.exe
Token: SeDebugPrivilege	2640	csrss.exe
Token: SeDebugPrivilege	5812	csrss.exe
Token: SeDebugPrivilege	1228	csrss.exe
Token: SeDebugPrivilege	4280	csrss.exe
Token: SeDebugPrivilege	6000	csrss.exe
Token: SeDebugPrivilege	4760	csrss.exe
Token: SeDebugPrivilege	708	csrss.exe
Token: SeDebugPrivilege	1120	csrss.exe
Token: SeDebugPrivilege	2916	csrss.exe
Token: SeDebugPrivilege	3132	csrss.exe
Token: SeDebugPrivilege	4468	csrss.exe
Token: SeDebugPrivilege	4544	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6064 wrote to memory of 6116	6064	a73951d8730beba8a769c882801bd767.exe	111
PID 6064 wrote to memory of 6116	6064	a73951d8730beba8a769c882801bd767.exe	111
PID 6064 wrote to memory of 2484	6064	a73951d8730beba8a769c882801bd767.exe	112
PID 6064 wrote to memory of 2484	6064	a73951d8730beba8a769c882801bd767.exe	112
PID 6064 wrote to memory of 3112	6064	a73951d8730beba8a769c882801bd767.exe	113
PID 6064 wrote to memory of 3112	6064	a73951d8730beba8a769c882801bd767.exe	113
PID 6064 wrote to memory of 5552	6064	a73951d8730beba8a769c882801bd767.exe	115
PID 6064 wrote to memory of 5552	6064	a73951d8730beba8a769c882801bd767.exe	115
PID 6064 wrote to memory of 712	6064	a73951d8730beba8a769c882801bd767.exe	116
PID 6064 wrote to memory of 712	6064	a73951d8730beba8a769c882801bd767.exe	116
PID 6064 wrote to memory of 2172	6064	a73951d8730beba8a769c882801bd767.exe	118
PID 6064 wrote to memory of 2172	6064	a73951d8730beba8a769c882801bd767.exe	118
PID 6064 wrote to memory of 1284	6064	a73951d8730beba8a769c882801bd767.exe	123
PID 6064 wrote to memory of 1284	6064	a73951d8730beba8a769c882801bd767.exe	123
PID 1284 wrote to memory of 5236	1284	cmd.exe	125
PID 1284 wrote to memory of 5236	1284	cmd.exe	125
PID 1284 wrote to memory of 1236	1284	cmd.exe	130
PID 1284 wrote to memory of 1236	1284	cmd.exe	130
PID 1236 wrote to memory of 4772	1236	csrss.exe	131
PID 1236 wrote to memory of 4772	1236	csrss.exe	131
PID 1236 wrote to memory of 1684	1236	csrss.exe	132
PID 1236 wrote to memory of 1684	1236	csrss.exe	132
PID 4772 wrote to memory of 4864	4772	WScript.exe	134
PID 4772 wrote to memory of 4864	4772	WScript.exe	134
PID 4864 wrote to memory of 2272	4864	csrss.exe	135
PID 4864 wrote to memory of 2272	4864	csrss.exe	135
PID 4864 wrote to memory of 1968	4864	csrss.exe	136
PID 4864 wrote to memory of 1968	4864	csrss.exe	136
PID 2272 wrote to memory of 2640	2272	WScript.exe	137
PID 2272 wrote to memory of 2640	2272	WScript.exe	137
PID 2640 wrote to memory of 2748	2640	csrss.exe	138
PID 2640 wrote to memory of 2748	2640	csrss.exe	138
PID 2640 wrote to memory of 5912	2640	csrss.exe	139
PID 2640 wrote to memory of 5912	2640	csrss.exe	139
PID 2748 wrote to memory of 5812	2748	WScript.exe	143
PID 2748 wrote to memory of 5812	2748	WScript.exe	143
PID 5812 wrote to memory of 4124	5812	csrss.exe	144
PID 5812 wrote to memory of 4124	5812	csrss.exe	144
PID 5812 wrote to memory of 5552	5812	csrss.exe	145
PID 5812 wrote to memory of 5552	5812	csrss.exe	145
PID 4124 wrote to memory of 1228	4124	WScript.exe	146
PID 4124 wrote to memory of 1228	4124	WScript.exe	146
PID 1228 wrote to memory of 4352	1228	csrss.exe	147
PID 1228 wrote to memory of 4352	1228	csrss.exe	147
PID 1228 wrote to memory of 4424	1228	csrss.exe	148
PID 1228 wrote to memory of 4424	1228	csrss.exe	148
PID 4352 wrote to memory of 4280	4352	WScript.exe	149
PID 4352 wrote to memory of 4280	4352	WScript.exe	149
PID 4280 wrote to memory of 5988	4280	csrss.exe	150
PID 4280 wrote to memory of 5988	4280	csrss.exe	150
PID 4280 wrote to memory of 4832	4280	csrss.exe	151
PID 4280 wrote to memory of 4832	4280	csrss.exe	151
PID 5988 wrote to memory of 6000	5988	WScript.exe	152
PID 5988 wrote to memory of 6000	5988	WScript.exe	152
PID 6000 wrote to memory of 4872	6000	csrss.exe	153
PID 6000 wrote to memory of 4872	6000	csrss.exe	153
PID 6000 wrote to memory of 5296	6000	csrss.exe	154
PID 6000 wrote to memory of 5296	6000	csrss.exe	154
PID 4872 wrote to memory of 4760	4872	WScript.exe	155
PID 4872 wrote to memory of 4760	4872	WScript.exe	155
PID 4760 wrote to memory of 3960	4760	csrss.exe	156
PID 4760 wrote to memory of 3960	4760	csrss.exe	156
PID 4760 wrote to memory of 5664	4760	csrss.exe	157
PID 4760 wrote to memory of 5664	4760	csrss.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe
"C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hu4hSSQpnV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5236
- - C:\Recovery\WindowsRE\csrss.exe
    "C:\Recovery\WindowsRE\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\415ff65c-56e1-4ad3-898d-0b8a58b03b44.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c935d10-72c3-4924-876e-6b9d21228844.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7d44775-8af7-44cb-9579-c00f84055b71.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48da7524-0dc9-4425-972b-380722f4dfff.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57b1e93-6b79-44f1-8a89-a73a77da6ffe.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fad3f30-0dcb-4d25-b13f-53094543ee6c.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5988
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ccfd9f7-2415-4c18-9103-8fe21d381d64.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca69fb4-bddb-411d-9f4e-005c1dc4c99d.vbs"
        18⤵
        
        PID:3960
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50466a1e-f27a-4a97-aa3e-c25674597b4f.vbs"
        20⤵
        
        PID:4292
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1c12d77-5612-4756-b936-8f8dbb8a61b1.vbs"
        22⤵
        
        PID:5892
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4baa9ad-fcb8-4c2d-8301-07e121c48a0b.vbs"
        24⤵
        
        PID:856
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33cb935-2e42-4564-9143-63774f7dbb6a.vbs"
        26⤵
        
        PID:1052
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e1ad35c-fccd-4707-8762-84c22081924c.vbs"
        28⤵
        
        PID:4564
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14729926-207f-4b78-8d02-922c917554f6.vbs"
        30⤵
        
        PID:4220
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        31⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dabf37a-5c39-4343-b8d2-61b10122e1ca.vbs"
        32⤵
        
        PID:3124
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        33⤵
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e279a6d-7eed-4870-9446-c71c1f083b7a.vbs"
        34⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a23abcf-0c46-46b2-b80c-996ac3984fe6.vbs"
        34⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae12c8a7-bd5d-403e-bb7b-8eafe11f2219.vbs"
        32⤵
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cebc5278-ac5f-4da4-9bcf-c94d3a3b26cc.vbs"
        30⤵
        
        PID:5980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8b1d58d-990d-45d8-bc0e-e9bd77881026.vbs"
        28⤵
        
        PID:5508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44f8942d-80d9-4e3f-b2a5-c7d660dd46fc.vbs"
        26⤵
        
        PID:5964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c39997-4591-4ea4-a87b-f6a63d43c42b.vbs"
        24⤵
        
        PID:5512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b0a6e80-5122-4a0a-bc84-332484ba550e.vbs"
        22⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24c810f-043c-4610-87b9-60da90e7b41b.vbs"
        20⤵
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1f7352-5b30-4894-9c41-f50fa82bd020.vbs"
        18⤵
        
        PID:5664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c233fe03-0c4e-452c-bb16-57d9f3f50a86.vbs"
        16⤵
        
        PID:5296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17861a5-afaa-4b47-b999-6a961557a160.vbs"
        14⤵
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc15ac9-720e-41f1-94b3-6ded44795f7a.vbs"
        12⤵
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47380ac7-75b4-48dd-829c-c69d363ddb71.vbs"
        10⤵
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02f62083-e108-4932-81a5-386394f74477.vbs"
        8⤵
        
        PID:5912
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d207a013-f913-415b-9102-7b4166011abf.vbs"
        6⤵
        
        PID:1968
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d118268d-dcf2-41ed-9ebf-0a6f4aeb8075.vbs"
      4⤵
      PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\reports\spoolsv.exe

Filesize
1.6MB

MD5
a73951d8730beba8a769c882801bd767

SHA1
d7a91fcad4c3477b2bb17168404b015249dc9925

SHA256
fd491ef92bb1de6bc677badbca3c26699d3cd713e5803c82757768965be9ded3

SHA512
12f5bb32eba7a028f0ef7dc29d6d75efb5460ce34209c677539daa83cadf1c689961a8a076a7d8acc90479fba8fc526ee1e83f0e19af5d784525425a5e15c6e6

Download Submit
C:\Program Files\Uninstall Information\RCX67BC.tmp

Filesize
1.6MB

MD5
9f07adedbeefa1fd3a4607862c21fdee

SHA1
9452a90d1a8c9e6ecf7a927ea60f83d66a4b6e81

SHA256
18ab4848228d216bae897fbf767f34df525b897bc29bd4a9cada64824d590d8b

SHA512
0a6879a50e2a4e38aecb4e57228609de3dc02ea45cde2eb236b01627f5ead90cd9eeaeca38456a3f01f7597eab4503fbbac367cca59e780ca8507ed51c5db87d

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.6MB

MD5
88ff2fdfd9f6a809f6994131bf4088bc

SHA1
4ca1ac6b4774fa3edcc67e1014566f08159014cd

SHA256
183b950d98d70d814336ac53cb0f127c857e80ad6d3475083a4fbd283977e8e3

SHA512
485a3921f7a1109c7da5db165a8d92a73230b2c5afc4cd461c38b481275daa4b6d7cc8ba4d76c61b96753f7a73d0707e921f9bb830a5f841fb2e01a7d1008da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b594c0a5591fab95a43185dd9944a231

SHA1
3d725e779790f3525ba12b0666f0a3a235644fed

SHA256
8478ca44e6145dbe6664f871852535793f5ab6d86b4c78c611165bdfb91f159a

SHA512
452fc6194d00c466a3ceb98d2cce2e4262f6b0998b99c6b2ccd842d07449b177d1ce9ff4e7659e0b358eedf44bdc20cc30e3fdb2e4b61e56d94e3965f48cdb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e7d0883e28000a6270cf6b3b3f7b6c5a

SHA1
74d916eb15baa5ce4a168cd80d3d2c45d503daa2

SHA256
63f3369719ec0f4063138a71ba369a25fb4824bc035eaa4072ee6a5a1812480a

SHA512
4b4ade064020959bc677689fa658816c8c498c8117df70a1ae4076533972593b4e2c3bf45d39e28662892e12db07641f14870ef69292e81030f8b3d7c92302f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
737aca23f199ce589dd1e68bc4969b98

SHA1
8c9cdd6bdf94c5fa42c5b0c29abf0136e4e6fa00

SHA256
6aa59e171898b3dd42a36662ef81d349ce5063a705f1261e881269c59e7c742b

SHA512
ccc0e6fa798aeb92e6e1a14d6ef3dc23e8e829d5ffd10f11129d0e590820711e29997a761dca77b8e790b06e3c7c0d2059137f40f92543eb8048529b1b4d7817

Download Submit
C:\Users\Admin\AppData\Local\Temp\14729926-207f-4b78-8d02-922c917554f6.vbs

Filesize
707B

MD5
1fd65009154d1454a1fca0f6b6af4066

SHA1
30ee270ef8804240367ebfa8ee126b62deb172b8

SHA256
4097fc80a2666c01160a78b8d281e43f4cb3f3bdd76fe45069e426857b920524

SHA512
da13287ec72c9317c532557f42c7a636e58e87d880b6a7a0863c1ccd08006320e11dd0391fb48b4f8be1a008991b00c7462333a8cc55ced199f1a4e460a890ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e1ad35c-fccd-4707-8762-84c22081924c.vbs

Filesize
707B

MD5
457d9407f90ae312be486006fbe2980b

SHA1
cb12f9c23528fc0c8cf852e0e47c3912dc3531b3

SHA256
80235b98e567e61dec10a5153ce374d073c5a3017f45d08a890c0a9fdc60f3c8

SHA512
37a798a782af5f0068a077ee0541f1a25167748daed94eccca3231ef47cd2315d5cb1395e0ba22786f6f4df635d7d53f40adf30fb3aa998b0aee88cb79538ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ccfd9f7-2415-4c18-9103-8fe21d381d64.vbs

Filesize
707B

MD5
c497dcfe072c0374c3e6a007fbc51e73

SHA1
ccd38e16293f572036815186f4cd88aae54f5d64

SHA256
eecfbe7592064068fe985d2ff154af34a1acbadd1ff00daeabeeabb50e46cd0d

SHA512
e6d9c6af2a44dc33b3433516b6cfd22cc25fdab5590c17c16e7035e91cc664cebd1a7ddbc7f95e45d7b560e8d1d0ea4bc2b2275a46ac93fcd7274b2e070cf448

Download Submit
C:\Users\Admin\AppData\Local\Temp\415ff65c-56e1-4ad3-898d-0b8a58b03b44.vbs

Filesize
707B

MD5
b384230dd5d051c96ce07ede53c5bde2

SHA1
eb2e4d2334adc354bb14861482e0f98114a2f4d2

SHA256
07615e8e6aaabdee9aab5d499500d16c33277a0136387ddc4b5d2890cdddf378

SHA512
b73560e410dd127631f3e7785f97545d80d335710af2fc854e18bccc3f2a53fd8bece79463bc0a40e872da9522117171971366217db90066ea8bd66acf059124

Download Submit
C:\Users\Admin\AppData\Local\Temp\48da7524-0dc9-4425-972b-380722f4dfff.vbs

Filesize
707B

MD5
631cfc851d812b17d966fab18d7e9fe3

SHA1
40b42e4a404589a9a7a563bdd6adf187e7a164d9

SHA256
95e175c6ca31e16bb86d7c7996fb071fd511befa751379847e424800e9e21ee8

SHA512
dc9f31151958a8fa0ea75ce2d83fa20283a7c6683fb936075d4a403b44bc8c16ba3816ff47a26a867d279b376f23e54cdda75e4a6b72347e4475519f656eb04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50466a1e-f27a-4a97-aa3e-c25674597b4f.vbs

Filesize
706B

MD5
c9164463fc85e940283f2f643615ba93

SHA1
122f919ae4e7d649a662a1df96d6c0ac76c173ca

SHA256
731e31bd81ef8ecdf8049b04d9c17cbf3a6a4b6e248f87c07c6bc67958b4706a

SHA512
e7e603bfcf0911279434681c6807d4b508cb40f6e17fa5003fa75229a9bbdcdcab1fad3f31d7f7e013e25a052ba5faac87013205d18b7dedc834ca091e90351f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c935d10-72c3-4924-876e-6b9d21228844.vbs

Filesize
707B

MD5
3d513e5477d6342a077ccf056c7a467c

SHA1
d311c1a61f4b245a7666317bd488a70b658c0430

SHA256
11663a2591e7acab633e6bf1a2bebf00bf0f94d05adfe8745ae976f6c748a952

SHA512
3c88617cbb9ffb330517a2f139137e886c489d4265e3049eda89a32bc8a54e814a2740b6774717094953be964efa10000afe35b41a659ab48d1fbcced76df657

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fad3f30-0dcb-4d25-b13f-53094543ee6c.vbs

Filesize
707B

MD5
361f7c9a6bea68792817bd50ef0bde1c

SHA1
d745be881bd658b5e7045df00f5b2f1aea53b721

SHA256
8ba2d34e6789c76f3c862a90d8197e5222863023fea333b356483d0891588d20

SHA512
09b91e984a8de06c3c67c4c81518e29249c0d332079f0ed1692f0802d300124f87593dd1eee3e3755b55c0c0f57691bc2efa19b00ad8d968428f1b82a50c7f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hu4hSSQpnV.bat

Filesize
196B

MD5
b4eea4eec1cca9b62fc56bb30349ae7a

SHA1
dc9f9f8c9cb33dfb357c8b5b3d5a3c6eb76d37d9

SHA256
0de0c96d0a7af393115cbff0a6845db6180f0716608f2e82a2652e7b56737cbb

SHA512
5ed7c5a67e3d4a1dbab424cef635ba64ac8ba846b5be9ef6474b1f1efe229e13cf5cd21ee3314161f81828779d596a45392a8734c8f7e49147a152fda87ce725

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0kqzihs.gor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aca69fb4-bddb-411d-9f4e-005c1dc4c99d.vbs

Filesize
707B

MD5
0c714b383fd7772aee9145234c291edd

SHA1
7dcfbbd5564f98a9b6ca73313249206b38f2d46a

SHA256
999880c8982f1ada64c8d4167c29ec570c64e64e684f815e404939465a2d5b93

SHA512
c8b27b238355e7557c265947f89759dd2c8f1e6dbd18a6a1627cecfcef59ecb7c0860608515cbe6d1e2512af7382ab5af4afbb185707127d9dea0c4f9c338987

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4baa9ad-fcb8-4c2d-8301-07e121c48a0b.vbs

Filesize
707B

MD5
0f6fa5a902fc57e62071d5ca013ab241

SHA1
086d083d86bc7c18cf84d205fbedf123084825dc

SHA256
2b16376addfe0a3bd64fe483886b33db2e2c1557490c33556846a65b746c5bef

SHA512
609da53c4055f330ccb537fc51ebf745f7d6cf66f3914bf07bd250d37aee277cba7dbcde51468bca03ea81501214f9188427e30d02f606e64986a64bd4112769

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57b1e93-6b79-44f1-8a89-a73a77da6ffe.vbs

Filesize
707B

MD5
3ae405fb4cd68b244b19c55808645f7a

SHA1
6bf1eeed76b2966480ece07c966c572ab878b3c3

SHA256
7993ca0bbcbf67c287a166dcd38202ece85399f124a8a40b797d21660b3c3a22

SHA512
ea1669ac0a323978f27d5cd504c7f2722e2d3f3ef8a4fefe2e0185ec1284dec2c7e87a4515172716cf73fd4c02dcd6c7b6c6d9b173cd163eec327a0cf68b83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7d44775-8af7-44cb-9579-c00f84055b71.vbs

Filesize
707B

MD5
71829110069376cf686e7d3e55548138

SHA1
eb8b8d8683f1891310bff6e19484b11a691c1078

SHA256
0aa556a485655710cc899fd8633c3c15aa3fa3cf2d2d210cc4eb0dfca72d7b8f

SHA512
027b6f6791fa204677fe990108973ed6dc7d330538615e275916bd9b455205d762893e91e1aa5011953ffead8669deae589aa7aa7f7f48c9812713edddb5c683

Download Submit
C:\Users\Admin\AppData\Local\Temp\d118268d-dcf2-41ed-9ebf-0a6f4aeb8075.vbs

Filesize
483B

MD5
e08c22d02ba470c7e13916363763d675

SHA1
43dfc04ad60959cd1d7bddb278e2826f2bc07fa8

SHA256
856e6728928c6c7d30be2ca1eab772c7cdcc182653176927a1c3f71d9ecff523

SHA512
5a7c4825dc04572d1ea273a9e9fa82bddbd03e5c22dcd1b83bc398f5f947d9de301d0e88f7170b42841cf92d9554de61309e93bae9def1c25cb9f08f86d85540

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1c12d77-5612-4756-b936-8f8dbb8a61b1.vbs

Filesize
707B

MD5
bc6f2667e12fc1805f962515ed13af24

SHA1
a0a94f5ea343773cabdcf54469bcc1e245e94809

SHA256
10440ce54c078578540d216f874f9b11adf28b9a1ca7d83405f72c089f16753c

SHA512
2effb3cbbfa209877acf56e069875cd04cc852acc4ae7e04d6eb9e522fa0f5eabc35f7df843deebab380c3fefa465413a6b85d42f22fe054a45981bc9542c064

Download Submit
C:\Users\Admin\AppData\Local\Temp\f33cb935-2e42-4564-9143-63774f7dbb6a.vbs

Filesize
707B

MD5
adc4dc961898968d9b8397043f184d68

SHA1
066858ce66ac009a88fea09475dbd8919f2c3034

SHA256
c87049091cb1c5a9dc6bf84748e06f6dfcd2e439e2a8ee9050a68d303c28bbae

SHA512
26751286320879d3d1a52cfb12e0acd3b622ba138b16d60b59d148d3ba0e9b2cfd8f9377a4d2407029151caf29eee08f3929f0ee8affd6530e5c813c60652abb

Download Submit
memory/1236-168-0x00000000005D0000-0x0000000000772000-memory.dmp

Filesize
1.6MB

Download
memory/6064-12-0x000000001B720000-0x000000001B72A000-memory.dmp

Filesize
40KB

Download
memory/6064-7-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/6064-10-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/6064-13-0x000000001BFF0000-0x000000001BFFE000-memory.dmp

Filesize
56KB

Download
memory/6064-9-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/6064-17-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/6064-8-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/6064-6-0x000000001B660000-0x000000001B676000-memory.dmp

Filesize
88KB

Download
memory/6064-16-0x000000001C020000-0x000000001C02A000-memory.dmp

Filesize
40KB

Download
memory/6064-11-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/6064-119-0x00007FFA2ED60000-0x00007FFA2F821000-memory.dmp

Filesize
10.8MB

Download
memory/6064-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/6064-5-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/6064-0-0x00007FFA2ED63000-0x00007FFA2ED65000-memory.dmp

Filesize
8KB

Download
memory/6064-4-0x000000001B6A0000-0x000000001B6F0000-memory.dmp

Filesize
320KB

Download
memory/6064-1-0x0000000000990000-0x0000000000B32000-memory.dmp

Filesize
1.6MB

Download
memory/6064-15-0x000000001C010000-0x000000001C018000-memory.dmp

Filesize
32KB

Download
memory/6064-14-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/6064-2-0x00007FFA2ED60000-0x00007FFA2F821000-memory.dmp

Filesize
10.8MB

Download
memory/6116-100-0x000001A0E4020000-0x000001A0E4042000-memory.dmp

Filesize
136KB

Download