dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
77s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Size

1.6MB
MD5

c108bff5d7cf5216d440596c5c03fea4
SHA1

33eba9f19413d2d26bcd5b21b49bb43563cc0808
SHA256

99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08
SHA512

e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1892	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1892	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/2104-1-0x00000000007C0000-0x0000000000962000-memory.dmp	dcrat
behavioral10/files/0x00070000000240f7-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3296	powershell.exe
4536	powershell.exe
3640	powershell.exe
3468	powershell.exe
2908	powershell.exe
1808	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 7 IoCs

pid	Process
1736	SearchApp.exe
4956	SearchApp.exe
232	SearchApp.exe
760	SearchApp.exe
3756	SearchApp.exe
5032	SearchApp.exe
3744	SearchApp.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\56085415360792	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Fonts\38384e6a620884	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Fonts\RCXB667.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Fonts\RCXB668.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Fonts\SearchApp.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB442.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB453.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Fonts\SearchApp.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1192	schtasks.exe
2228	schtasks.exe
416	schtasks.exe
1276	schtasks.exe
5012	schtasks.exe
4804	schtasks.exe
1524	schtasks.exe
3164	schtasks.exe
648	schtasks.exe
4884	schtasks.exe
2468	schtasks.exe
392	schtasks.exe
5108	schtasks.exe
1128	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
4536	powershell.exe
4536	powershell.exe
1808	powershell.exe
1808	powershell.exe
2908	powershell.exe
2908	powershell.exe
3296	powershell.exe
3296	powershell.exe
3640	powershell.exe
3640	powershell.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
3296	powershell.exe
4536	powershell.exe
2908	powershell.exe
1808	powershell.exe
3640	powershell.exe
1736	SearchApp.exe
4956	SearchApp.exe
232	SearchApp.exe
760	SearchApp.exe
760	SearchApp.exe
3756	SearchApp.exe
3756	SearchApp.exe
5032	SearchApp.exe
3744	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	1736	SearchApp.exe
Token: SeDebugPrivilege	4956	SearchApp.exe
Token: SeDebugPrivilege	232	SearchApp.exe
Token: SeDebugPrivilege	760	SearchApp.exe
Token: SeDebugPrivilege	3756	SearchApp.exe
Token: SeDebugPrivilege	5032	SearchApp.exe
Token: SeDebugPrivilege	3744	SearchApp.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1808	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	109
PID 2104 wrote to memory of 1808	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	109
PID 2104 wrote to memory of 3296	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	110
PID 2104 wrote to memory of 3296	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	110
PID 2104 wrote to memory of 4536	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	111
PID 2104 wrote to memory of 4536	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	111
PID 2104 wrote to memory of 2908	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	112
PID 2104 wrote to memory of 2908	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	112
PID 2104 wrote to memory of 3468	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	113
PID 2104 wrote to memory of 3468	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	113
PID 2104 wrote to memory of 3640	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	114
PID 2104 wrote to memory of 3640	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	114
PID 2104 wrote to memory of 1736	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	121
PID 2104 wrote to memory of 1736	2104	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	121
PID 1736 wrote to memory of 2916	1736	SearchApp.exe	123
PID 1736 wrote to memory of 2916	1736	SearchApp.exe	123
PID 1736 wrote to memory of 3080	1736	SearchApp.exe	124
PID 1736 wrote to memory of 3080	1736	SearchApp.exe	124
PID 2916 wrote to memory of 4956	2916	WScript.exe	127
PID 2916 wrote to memory of 4956	2916	WScript.exe	127
PID 4956 wrote to memory of 8	4956	SearchApp.exe	128
PID 4956 wrote to memory of 8	4956	SearchApp.exe	128
PID 4956 wrote to memory of 312	4956	SearchApp.exe	129
PID 4956 wrote to memory of 312	4956	SearchApp.exe	129
PID 8 wrote to memory of 232	8	WScript.exe	130
PID 8 wrote to memory of 232	8	WScript.exe	130
PID 232 wrote to memory of 1340	232	SearchApp.exe	131
PID 232 wrote to memory of 1340	232	SearchApp.exe	131
PID 232 wrote to memory of 4984	232	SearchApp.exe	132
PID 232 wrote to memory of 4984	232	SearchApp.exe	132
PID 1340 wrote to memory of 760	1340	WScript.exe	138
PID 1340 wrote to memory of 760	1340	WScript.exe	138
PID 760 wrote to memory of 592	760	SearchApp.exe	139
PID 760 wrote to memory of 592	760	SearchApp.exe	139
PID 760 wrote to memory of 4256	760	SearchApp.exe	140
PID 760 wrote to memory of 4256	760	SearchApp.exe	140
PID 592 wrote to memory of 3756	592	WScript.exe	144
PID 592 wrote to memory of 3756	592	WScript.exe	144
PID 3756 wrote to memory of 3088	3756	SearchApp.exe	172
PID 3756 wrote to memory of 3088	3756	SearchApp.exe	172
PID 3756 wrote to memory of 784	3756	SearchApp.exe	146
PID 3756 wrote to memory of 784	3756	SearchApp.exe	146
PID 3088 wrote to memory of 5032	3088	WScript.exe	147
PID 3088 wrote to memory of 5032	3088	WScript.exe	147
PID 5032 wrote to memory of 3004	5032	SearchApp.exe	166
PID 5032 wrote to memory of 3004	5032	SearchApp.exe	166
PID 5032 wrote to memory of 3668	5032	SearchApp.exe	149
PID 5032 wrote to memory of 3668	5032	SearchApp.exe	149
PID 3004 wrote to memory of 3744	3004	WScript.exe	150
PID 3004 wrote to memory of 3744	3004	WScript.exe	150
PID 3744 wrote to memory of 1736	3744	SearchApp.exe	151
PID 3744 wrote to memory of 1736	3744	SearchApp.exe	151
PID 3744 wrote to memory of 3892	3744	SearchApp.exe	152
PID 3744 wrote to memory of 3892	3744	SearchApp.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
"C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\Fonts\SearchApp.exe
  "C:\Windows\Fonts\SearchApp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65b78fd5-674c-4d01-b958-0ea59930b3e0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\Fonts\SearchApp.exe
      C:\Windows\Fonts\SearchApp.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b502de4-e106-43f5-80db-5585249746fb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982b4360-cf58-4b3c-98f0-d599172378e2.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfca51eb-6bee-45f3-b5a6-81341b080f12.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\795b4540-9e11-4d57-9065-a6d18950a51f.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc7e40b-bfa2-4a33-bdc8-b552fbe6f943.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f8c19c-3b57-4c7f-b00f-ba806d14a1ee.vbs"
        15⤵
        
        PID:1736
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        16⤵
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f6fabd8-3468-4c8f-b2d4-3e6fe67a9bbf.vbs"
        17⤵
        
        PID:776
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        18⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25ae1162-1b5c-48cc-b5b3-a5a160067f5d.vbs"
        19⤵
        
        PID:2132
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        20⤵
        
        PID:3548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d98007-4113-46cc-a1f1-858cc3d74d9e.vbs"
        21⤵
        
        PID:2788
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        22⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e759b73b-6363-4664-b8f4-4530a92e04ac.vbs"
        23⤵
        
        PID:2332
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        24⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a005704-2120-4f40-863e-7828db9cb907.vbs"
        25⤵
        
        PID:3580
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        26⤵
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50bf73e7-7187-4193-8c75-df0c0a7e41dc.vbs"
        27⤵
        
        PID:4764
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        28⤵
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\658b6e65-73a9-45ab-be25-649b0e194e0d.vbs"
        29⤵
        
        PID:3216
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        30⤵
        
        PID:4624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bedc8c69-7107-4e52-95e9-a797369990f9.vbs"
        31⤵
        
        PID:940
        
        C:\Windows\Fonts\SearchApp.exe
        
        C:\Windows\Fonts\SearchApp.exe
        32⤵
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba5848a0-376d-4699-a64f-4866cfcd5287.vbs"
        31⤵
        
        PID:708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd9d3904-29cb-4ca6-a7a7-17a3493485f9.vbs"
        29⤵
        
        PID:3760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ba4d5a-de0b-4454-950f-75f6e30bbc1f.vbs"
        27⤵
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126330ba-4cbf-4794-ab0e-01b29fd57610.vbs"
        25⤵
        
        PID:3280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9122ffb9-15a9-41dc-ad37-705df09fe1ea.vbs"
        23⤵
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f366678-e953-4235-9213-bdc90c892352.vbs"
        21⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\589b763f-aa83-41c7-bd0f-9c3bc046bbbe.vbs"
        19⤵
        
        PID:3208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eef341a-b760-465b-8377-4ec27548a1bf.vbs"
        17⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6c4948a-5894-4da6-98fe-0473ee06cf45.vbs"
        15⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2773539d-4189-42c1-a24d-53df0fc88b7f.vbs"
        13⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26c9586-da2a-4206-a4cf-f48b97fc3165.vbs"
        11⤵
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b24452f5-a93a-4b05-ac75-a9ee83caa005.vbs"
        9⤵
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e5077c-dd05-4fd6-bb8b-39e3b19e2fbf.vbs"
        7⤵
        
        PID:4984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b8afdbf-93de-467c-8bdb-34603731be59.vbs"
        5⤵
        
        PID:312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53236f73-214e-4fed-8fed-854714adaea7.vbs"
    3⤵
    PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3ac54ddf2ad44faa6035cf\csrss.exe

Filesize
1.6MB

MD5
c108bff5d7cf5216d440596c5c03fea4

SHA1
33eba9f19413d2d26bcd5b21b49bb43563cc0808

SHA256
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08

SHA512
e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
084d49c16a0db5a169356315e8e97d83

SHA1
af662c8666ef7c52c9711c0f143e0b8620f27d19

SHA256
a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2

SHA512
c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e452a0569a88103800ef1fdb9d028088

SHA1
b73c91d1a9b444033dd5824543c4b9e9538e379f

SHA256
c0f2157095cd92cebe6ea87b14b366ff5ff71ef681785ac8363b1ca59b0ca242

SHA512
5141bd6ceaaefae93e4663b8235ecb1ff87017c2ed1c5a1cfa249bb5d9b646d6d0493e1f85aebe4ae9bddfd2ff7210ada1217bb32d52a1ac582a2f6d636e08a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5c56bc9516ee1aeea75a81d98481ee92

SHA1
1713f6c42d50fb29d62fc9af9732ddba5ec1d264

SHA256
4289eb4ee8622c15b6257056e3db539193204c38f5508c2e1e776676177fea5f

SHA512
be6af08ee11cd4d95aeb0badc2464207232c9de40b18b077e5b4070b245b494147667e9245ca49e9d51b527d5cb7d550eb7bf1ec20cc679fa9ad95ab9e31da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\09f8c19c-3b57-4c7f-b00f-ba806d14a1ee.vbs

Filesize
706B

MD5
8968b0c595fb7c9095edb7f6ecf9f114

SHA1
69973d08c9eff0f345f7810ecfdc75a9f9a1ba18

SHA256
447919d3f246f0bd12d7acde5a97672d21096ab0925692acea4eff4371e9df2f

SHA512
e55473fced4bc64aafbfb09f8c79fda48d37a3bd8fdf712d26425fa8df0d76ed0360d5f62fbec20410fd02b4361df8376b5d9ef8dcfa7003ed23537f88b51ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\25ae1162-1b5c-48cc-b5b3-a5a160067f5d.vbs

Filesize
706B

MD5
ec9b8be419cd147acda1186e42cb4e6f

SHA1
c429343402b5e64a29fd2012bd3a4563b4ded818

SHA256
ad03ac3e33506bfb01609983c638705f9ae31540edc778b9b07f6c1cc04add00

SHA512
a528b584985d0d0e903181a364a70eccc5b6ccdff4df88400684f98561e339884c4e05ddbd280afa2ded67335af04a26fcf6908fcfbb67bf9a0922341f6b5e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50bf73e7-7187-4193-8c75-df0c0a7e41dc.vbs

Filesize
706B

MD5
98faf2bff0bfc3fb30e52f2d427311de

SHA1
14a30813fa0419e7cc28ace76f36159072cd8275

SHA256
31c9982f141b377c2e681c321c0434025c787558c8170d840c3f4b08404406ec

SHA512
f383c67544781c4592b48036ca7cb87497a19d5fb140613c8e6679623882d474c09df173743fa87af7a47504cc19ac3ecae80b0a4655cf1c769aeb7b29680916

Download Submit
C:\Users\Admin\AppData\Local\Temp\53236f73-214e-4fed-8fed-854714adaea7.vbs

Filesize
482B

MD5
e77e481783b3aa935243e98fac750603

SHA1
96531e34e274003d4586b38e376f2d08cb43f02c

SHA256
c2d417080e64309081857fc7913ba881374feba5314d82b56149fe65076e4f4a

SHA512
01a09bd6536177c3af7c8bcdc2a8448d484598d51c49e79cafe061f31e58b4891be2ef77ce3641fe1b8ac1f2fc6098683cf29f0812600a1626813a74a94361d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b502de4-e106-43f5-80db-5585249746fb.vbs

Filesize
706B

MD5
79ef9d50dd61a3334080baef64638d86

SHA1
625352bc1a5a82fd41b15f318a38d300c1be6581

SHA256
352925640f66db05babfc24bdb336c9a658c2ee20afe4952f60adf16c5c56c1d

SHA512
16c70646c5680f54547a9d9d076683dc6d4285f7c08e78ef36a27c9ce3f2334e3c2a674367b153d44211ce3f2c8876ab62f59fd60ee1a0c7eb016b97764be8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\658b6e65-73a9-45ab-be25-649b0e194e0d.vbs

Filesize
706B

MD5
38f769fc900fb879e27e01a05d872138

SHA1
15e5530ff5434c796f42cee69fea2cf51d9c1a2e

SHA256
15fef193196245aae9e661a0ea85c85c2faf64a90b7b9d60cd09568a1f8e885e

SHA512
a956cca37a94217ac630d19bf97bb242de106e718933e68997f2f0aaf964d9aacc2f413039aaf3f3a9a0d088b2af188a7093a52568584bc090fa8cbfd3299a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\65b78fd5-674c-4d01-b958-0ea59930b3e0.vbs

Filesize
706B

MD5
1859ae3c8a529350928432522f388548

SHA1
7f9ce306c144b15cc8255eabcfdf7dbe96d715d7

SHA256
73c1763c6047d7dd263e779bde06d094be0759a3b04d505527f613e293e0866f

SHA512
afdbd3db158f584e17494599a463ea8928a98ea8ee92f673f3405394f7b9cf02eb659e4863f03125f430e32f4d8ad6154f33d2c16e19dbc8d0bacd0e36f5a1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a005704-2120-4f40-863e-7828db9cb907.vbs

Filesize
706B

MD5
318a68c398865e688e0c68e138cd1604

SHA1
a878d026460b94a923e422f7808ffca585fdfb20

SHA256
e423cbc87d3b09bd156829e80275ebe52e933dd4a730d8b012a853e17583c196

SHA512
b46f2bf28b537512d273371dd906776d9cd5ef8e5b10a92a681f3f909f0b42697511400f07d9cf181631bf335456cf4e5902393305ab4ba31d22f5c0c6a7e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bc7e40b-bfa2-4a33-bdc8-b552fbe6f943.vbs

Filesize
706B

MD5
12b7bf37420b47030ecd679813894d8c

SHA1
6acd53c18151dba40d456f9ca3b57e8cdc33b665

SHA256
046734ed537c19b47d96b50d90a13762e6156cc9fe6c1dbcc88980dda817f1f7

SHA512
71140200e4914030a0bfa57e6af35ebc90227c788cfa02e84f71f313ee5f225ac21085229850bb4cd86044f63cf0bec433a6f79e2024852087d25094946717d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6fabd8-3468-4c8f-b2d4-3e6fe67a9bbf.vbs

Filesize
706B

MD5
4608c47eda89188f76742daa5ecd051e

SHA1
838ce82c9222ab1a1712fefae2b860ceae826a8a

SHA256
5a8f98bc911c27d91b45fa0eb4374ad6b1109b77f8841d79a7df21a32bf44c57

SHA512
dc4882fb9f38d5dafc1a1962efc4868b3497e01e21620b7c85cc6a61ec9e6758bfee6646205f8d8f48b46c282a27846784ba6c49e1a3ce04749676368779dc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\795b4540-9e11-4d57-9065-a6d18950a51f.vbs

Filesize
706B

MD5
c19551b487d816230be4693037e1f293

SHA1
f2aaa3e3215d8c2a8e2e8c6dd9165f5458973a4f

SHA256
ffe0e186479a47d377099bc68e6472037a5174c06c628eff20c4a9f73146d82e

SHA512
33dbe6802f9a60899f9ed48c0a9efe48d0f1059f73d6474e96d9e0b006f98e26208aad51da996cbf4a6679e7b7d8372206597b25e68b944c3ba7e90d9f2ddc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\982b4360-cf58-4b3c-98f0-d599172378e2.vbs

Filesize
705B

MD5
29884656f75f9e6cff7d7b6848bc97ca

SHA1
1440ccc5bcb08bb2fd31b693d89c1a31db158ca5

SHA256
c2e9c9efe10189f6dd0480ae4747ef9a32a1590512bb8b03a78be9b0fffc739a

SHA512
30d8551fd6cef9972c6b97fc98240453ce0b0bbe521f67c4ca5af0063861d918e5b2038ced396ee704b5ff7db836f8da3c87ecf746e27c46fd4931d58012ea87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4amy3ymr.ysm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfca51eb-6bee-45f3-b5a6-81341b080f12.vbs

Filesize
705B

MD5
d9f5603ffc1633b9c72caf84710da3e9

SHA1
f48ff9ef89fbab828d98d1abf9ef22e1f8f5bf1f

SHA256
e05b713d7d9b74f7979b4b53c39b9d003566cf79b3648690733a4efe873a07cc

SHA512
afc0ed22fc02d1f9b2284119bd093f725cecc9205b1dd75746166f017a9f27ff45ee0487ca190357c1db6d1b55532b8e258a4385478c3082096fbb86890dc25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0d98007-4113-46cc-a1f1-858cc3d74d9e.vbs

Filesize
706B

MD5
c0ea7815a21b9b62fd5203f56a6b2201

SHA1
9441b749c1a6721c4d2c5d4551c9dc2c303012e6

SHA256
aa63fcf39b7fe4023da217444a2f73cefb319b4cbe430ae73ad0a13127029d01

SHA512
8ae77c3b1cc8c644202fcdc2c2fcb9258750162bdab5bd6018dd48d4f8d204c57db28174116640688169f8b368a5be692fd9c96c2d093e87f3d02dc27f281086

Download Submit
C:\Users\Admin\AppData\Local\Temp\e759b73b-6363-4664-b8f4-4530a92e04ac.vbs

Filesize
706B

MD5
8e13b457194c916a0f846bc2bdceba94

SHA1
2bc4756dc9c1bfd779d42c99dc237ef398656fa9

SHA256
2f5c826e1e8a030adace83e96f94fcda3e464bfd2745ed1fe6d51b3e23aa48e4

SHA512
3e97c8f8e39b3e55a486732ddac409add718d18a0341f97a72382219c9a3bd677d4632235dda223987ee826744b4afe010b50d93de19e25fcb46ddd1257f14e5

Download Submit
memory/1808-135-0x000001B56C470000-0x000001B56C492000-memory.dmp

Filesize
136KB

Download
memory/2104-11-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/2104-8-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

Filesize
64KB

Download
memory/2104-209-0x00007FF975800000-0x00007FF9762C1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-12-0x000000001BE10000-0x000000001BE1A000-memory.dmp

Filesize
40KB

Download
memory/2104-13-0x000000001BE20000-0x000000001BE2E000-memory.dmp

Filesize
56KB

Download
memory/2104-10-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/2104-0-0x00007FF975803000-0x00007FF975805000-memory.dmp

Filesize
8KB

Download
memory/2104-9-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/2104-16-0x000000001BE50000-0x000000001BE5A000-memory.dmp

Filesize
40KB

Download
memory/2104-15-0x000000001BE40000-0x000000001BE48000-memory.dmp

Filesize
32KB

Download
memory/2104-7-0x000000001B630000-0x000000001B638000-memory.dmp

Filesize
32KB

Download
memory/2104-6-0x000000001BBB0000-0x000000001BBC6000-memory.dmp

Filesize
88KB

Download
memory/2104-5-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2104-3-0x000000001BB90000-0x000000001BBAC000-memory.dmp

Filesize
112KB

Download
memory/2104-14-0x000000001BE30000-0x000000001BE38000-memory.dmp

Filesize
32KB

Download
memory/2104-17-0x000000001BE60000-0x000000001BE6C000-memory.dmp

Filesize
48KB

Download
memory/2104-4-0x000000001BC00000-0x000000001BC50000-memory.dmp

Filesize
320KB

Download
memory/2104-2-0x00007FF975800000-0x00007FF9762C1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-1-0x00000000007C0000-0x0000000000962000-memory.dmp

Filesize
1.6MB

Download