dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
56s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	6064	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	6064	schtasks.exe	86

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/644-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat
behavioral20/files/0x0007000000024309-26.dat	dcrat
behavioral20/files/0x0004000000016918-61.dat	dcrat
behavioral20/files/0x0008000000024311-129.dat	dcrat
behavioral20/files/0x0009000000024314-142.dat	dcrat
behavioral20/memory/6032-268-0x0000000000840000-0x00000000009E2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3832	powershell.exe
1612	powershell.exe
3508	powershell.exe
5848	powershell.exe
2988	powershell.exe
1340	powershell.exe
5356	powershell.exe
1920	powershell.exe
3096	powershell.exe
5772	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 4 IoCs

pid	Process
6032	csrss.exe
3644	csrss.exe
2852	csrss.exe
4252	csrss.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\27d1bcfc3c54e0	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX6E91.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX67F4.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\121e5b5079f7c0	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\ea1d8f6d871115	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX6A77.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX6E92.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\e6c9b481da804f	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX7096.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX7097.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX7772.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX79E5.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX69F9.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX77E1.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ea9f0e6c9e2dcd	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX7A63.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX67E4.tmp	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\Registry.exe	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5164	schtasks.exe
4620	schtasks.exe
632	schtasks.exe
5196	schtasks.exe
4740	schtasks.exe
4596	schtasks.exe
4640	schtasks.exe
2316	schtasks.exe
5488	schtasks.exe
5416	schtasks.exe
4728	schtasks.exe
3232	schtasks.exe
5320	schtasks.exe
4600	schtasks.exe
6036	schtasks.exe
3264	schtasks.exe
4944	schtasks.exe
4724	schtasks.exe
4696	schtasks.exe
4832	schtasks.exe
4544	schtasks.exe
4700	schtasks.exe
4788	schtasks.exe
2460	schtasks.exe
4916	schtasks.exe
3332	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
644	1f0343adab1970d928320ce2aa587fd3.exe
644	1f0343adab1970d928320ce2aa587fd3.exe
644	1f0343adab1970d928320ce2aa587fd3.exe
644	1f0343adab1970d928320ce2aa587fd3.exe
644	1f0343adab1970d928320ce2aa587fd3.exe
2988	powershell.exe
2988	powershell.exe
1612	powershell.exe
1612	powershell.exe
3508	powershell.exe
3508	powershell.exe
5848	powershell.exe
5848	powershell.exe
3096	powershell.exe
3096	powershell.exe
3832	powershell.exe
3832	powershell.exe
5356	powershell.exe
5356	powershell.exe
5772	powershell.exe
5772	powershell.exe
1920	powershell.exe
1920	powershell.exe
1340	powershell.exe
1340	powershell.exe
1612	powershell.exe
3832	powershell.exe
5356	powershell.exe
5848	powershell.exe
5772	powershell.exe
2988	powershell.exe
3508	powershell.exe
3096	powershell.exe
1340	powershell.exe
1920	powershell.exe
6032	csrss.exe
3644	csrss.exe
2852	csrss.exe
4252	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	5848	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	6032	csrss.exe
Token: SeDebugPrivilege	3644	csrss.exe
Token: SeDebugPrivilege	2852	csrss.exe
Token: SeDebugPrivilege	4252	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2988	644	1f0343adab1970d928320ce2aa587fd3.exe	117
PID 644 wrote to memory of 2988	644	1f0343adab1970d928320ce2aa587fd3.exe	117
PID 644 wrote to memory of 5848	644	1f0343adab1970d928320ce2aa587fd3.exe	118
PID 644 wrote to memory of 5848	644	1f0343adab1970d928320ce2aa587fd3.exe	118
PID 644 wrote to memory of 3508	644	1f0343adab1970d928320ce2aa587fd3.exe	120
PID 644 wrote to memory of 3508	644	1f0343adab1970d928320ce2aa587fd3.exe	120
PID 644 wrote to memory of 1612	644	1f0343adab1970d928320ce2aa587fd3.exe	121
PID 644 wrote to memory of 1612	644	1f0343adab1970d928320ce2aa587fd3.exe	121
PID 644 wrote to memory of 5772	644	1f0343adab1970d928320ce2aa587fd3.exe	122
PID 644 wrote to memory of 5772	644	1f0343adab1970d928320ce2aa587fd3.exe	122
PID 644 wrote to memory of 3096	644	1f0343adab1970d928320ce2aa587fd3.exe	123
PID 644 wrote to memory of 3096	644	1f0343adab1970d928320ce2aa587fd3.exe	123
PID 644 wrote to memory of 1920	644	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 644 wrote to memory of 1920	644	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 644 wrote to memory of 5356	644	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 644 wrote to memory of 5356	644	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 644 wrote to memory of 1340	644	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 644 wrote to memory of 1340	644	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 644 wrote to memory of 3832	644	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 644 wrote to memory of 3832	644	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 644 wrote to memory of 5576	644	1f0343adab1970d928320ce2aa587fd3.exe	137
PID 644 wrote to memory of 5576	644	1f0343adab1970d928320ce2aa587fd3.exe	137
PID 5576 wrote to memory of 4828	5576	cmd.exe	140
PID 5576 wrote to memory of 4828	5576	cmd.exe	140
PID 5576 wrote to memory of 6032	5576	cmd.exe	142
PID 5576 wrote to memory of 6032	5576	cmd.exe	142
PID 6032 wrote to memory of 2696	6032	csrss.exe	144
PID 6032 wrote to memory of 2696	6032	csrss.exe	144
PID 6032 wrote to memory of 2684	6032	csrss.exe	145
PID 6032 wrote to memory of 2684	6032	csrss.exe	145
PID 2696 wrote to memory of 3644	2696	WScript.exe	147
PID 2696 wrote to memory of 3644	2696	WScript.exe	147
PID 3644 wrote to memory of 1332	3644	csrss.exe	148
PID 3644 wrote to memory of 1332	3644	csrss.exe	148
PID 3644 wrote to memory of 4968	3644	csrss.exe	149
PID 3644 wrote to memory of 4968	3644	csrss.exe	149
PID 1332 wrote to memory of 2852	1332	WScript.exe	158
PID 1332 wrote to memory of 2852	1332	WScript.exe	158
PID 2852 wrote to memory of 1416	2852	csrss.exe	159
PID 2852 wrote to memory of 1416	2852	csrss.exe	159
PID 2852 wrote to memory of 4424	2852	csrss.exe	160
PID 2852 wrote to memory of 4424	2852	csrss.exe	160
PID 1416 wrote to memory of 4252	1416	WScript.exe	161
PID 1416 wrote to memory of 4252	1416	WScript.exe	161
PID 4252 wrote to memory of 1856	4252	csrss.exe	162
PID 4252 wrote to memory of 1856	4252	csrss.exe	162
PID 4252 wrote to memory of 3432	4252	csrss.exe	163
PID 4252 wrote to memory of 3432	4252	csrss.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I8G5CMpsp2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4828
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b86c36-fa94-453a-97ca-a8b23488fee2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b99aac1a-d12c-4b97-b025-fb6ee7c68bdd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a09deda-edf3-48de-9efb-fb4e0ef69c9c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bb30cea-d1d4-444b-af67-c293f31de6c0.vbs"
        10⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f364a80-c41f-438a-9dfe-067aebda49e1.vbs"
        10⤵
        
        PID:3432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bcd1163-1caf-4803-bcff-861d4e1e5816.vbs"
        8⤵
        
        PID:4424
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bea0d63-b3d7-4299-b2e6-bae52b9786ca.vbs"
        6⤵
        
        PID:4968
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2255c0c1-fa41-466b-928e-807e3fe3ae21.vbs"
      4⤵
      PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe

Filesize
1.6MB

MD5
3130bf9d4e7c66d4235819eb301e1e4b

SHA1
599aa6d6062951f1f25ac01490ab6c38f540f6f1

SHA256
858bd1d0501d87a3500ee56b599c4b0426c8af0e851cd48f46007b1f0ced1b97

SHA512
831fdf86d7870880ad8f9db9fdc28996e1db2e1b14a09d205296d8ba2f99a40a90e221b0fb6d9208f4bf63556010374205258c76a33cce4ebdd8bd3ad733c81f

Download Submit
C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe

Filesize
1.6MB

MD5
64dbbe5dc6bab5dc63516677f58459b5

SHA1
2380c8927241c5bf30c23d4054ff9fd2cf57255c

SHA256
228a0a936d187a73f9ca126d5f994a76d238de1f76647f208a273502961cdeec

SHA512
4bcd4e2436bd910669366acba28eaa6875de332dbc994528d38ed01d6adbe30ae597e7d3ddeb4d3541d304cd7fae20f9e74977fe1413f732e84ec7848e5a3b5c

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe

Filesize
1.6MB

MD5
d3c8adababde7eb5782d0c6108f44fc7

SHA1
199fec9b78f5613dad52638d0eb3c46c09df3905

SHA256
8a8dc85924f55c21a921871ffb9ac6f9b2e6bde0ade95884628701eccb7097c9

SHA512
7d803d7e0c9a6609682a36f4a3b7857297e34f296b33aa4678cf8d5e48ff960ab80c63e9b7a533af7226ba75d5b9d65dd225ba5f4c1c3ad385811882e163e1f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ff4a967012d041f24f777799e626cce4

SHA1
cd1d31edfe04a9b39f8b2732376ba466c8a66346

SHA256
2bb6758e5d9612b5d554149ea754704ae992db5f1848a060f50e08ffbfc85d4e

SHA512
45a214acf08c71fbc4946a624d1ff4d95f08c508bd157990447addd9556c75dbba2dfd41c42cd22c14f0dd92b2685775bb04b8c561d34d793564e07edc922421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c558a929f5c991ed7363b323d4eb0b90

SHA1
2563cd152880eab5bc780933905f854b29c9d566

SHA256
04e3abee01c1053e991b06858069e06ffc9722659cf3d6e024f5d1f34c05a474

SHA512
06f804d44298137f74cfcd30c64661a30c6c27ef00f370485d98cfdbcc43e23ea1a8ac1c9d7fd65af08671bbe466dcde017b174912c17609499490971763b7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf751eaf7119de8092b52a9cdcbc1d46

SHA1
83aba8b3d2961dffd9697005b5d1e39194033647

SHA256
591aa6b231f0bf5f9550e56aee826889e94235ce5f7aae507a9db791330f22e5

SHA512
ae33f8101e2624ecb89b1d58b936230996ea341293571534715583685d2726fa685915c56d36998547b02b49804dd70c80eb7192c59c214c2622adde4271755a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a39de506d9f3cb0eef9451868bf8f3ff

SHA1
183758ff7964ae923989989be46a822e0d4dc37f

SHA256
d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416

SHA512
041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bb30cea-d1d4-444b-af67-c293f31de6c0.vbs

Filesize
757B

MD5
1997901bf61f75b59ae2769c5325726c

SHA1
1a2caa2afe2ba392479603840bf72fa0a828443b

SHA256
9a9d2c65b691c9cddf13b0e59e9115e40fee9cea1330510e57f1e81155864e38

SHA512
8b26291453a0db749696a1b6cf39aea052f23a708222bc237668ead7cc80a5a35dcdead8ed819bea4a909a2273d2a98dfb6c1888d59284cf0ef2fa0c5afc0917

Download Submit
C:\Users\Admin\AppData\Local\Temp\2255c0c1-fa41-466b-928e-807e3fe3ae21.vbs

Filesize
533B

MD5
ec4e1a0c473242c49a65ef810fa4007c

SHA1
b90e44b0f83157afe873af612d84ae73c328aa9f

SHA256
49035d90f7d1a909229318a63c42f7baf86b1412b3ad11aa8d5d34074d7acd4b

SHA512
411f4d109fe16aa6ca1955ddc6c0b7a75ccbb7cae4f52dbb883a46521b972140244ee4727e6d74b668e383bfce3c4355202dff7e315bdbcd64120ac8f45f508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a09deda-edf3-48de-9efb-fb4e0ef69c9c.vbs

Filesize
757B

MD5
5911ccd43da88dc879cf990fc3ed4b7a

SHA1
3281354c4aa9e30fb07b7181228e37c9cbe16b30

SHA256
3590ebb097f33473e41117e1403a391bc6f56eb3831fc80dbd343f207facf8f7

SHA512
a96c066a97fd3c2dafe04d0cc1c638e90aff959052774d3c747e0591a8340c16575115acb9b7bbed6bdd98f96111613dcb8767c45070562100525a30c6fee8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8G5CMpsp2.bat

Filesize
246B

MD5
bf5e3f4640378be6174836fe74360aa8

SHA1
14f5c9011b0d12b8e5ba8644a40ed86fcfa9c128

SHA256
f4cc55749d6a825e1d51bb635f7b68ca1b5befaee5566db04cc829b1cb3b0005

SHA512
7e3f04028921aa5d3ca56b6b1faa9d680873d79634a3b204932344c71d7f981cccb47ef82e8d036702db3e8f3fcec592e4dc0b45fdf876096e626ab4b66122d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0b3npl2.osy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b99aac1a-d12c-4b97-b025-fb6ee7c68bdd.vbs

Filesize
757B

MD5
879dee769abc5c681c0d6c5c2fc5e9f0

SHA1
f2311d1f051bbb74ee16f718569304d5d87f9a24

SHA256
82dd9adcd6985c40a9dfcd3f6f394c30a7d142b85705ce9b224b8cf67f2eda77

SHA512
809db2d5a3a4f547449cb7372a21fb78e642d2ffb5d0e6852fe67b2879532a9b16a75616693f4936960bbad280a509199ab46a4ddb1bbac6ae7257b4b07a5514

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5b86c36-fa94-453a-97ca-a8b23488fee2.vbs

Filesize
757B

MD5
5b86197ac099a22225c21fa6b4edb237

SHA1
3acb5c7f059518c837ade1a9a667d81a180a19da

SHA256
dae7d37b6385efc6152cb60dc8d492f5eb31493974b6fb513798fba48ad1e6bb

SHA512
5500887c4e37fc88077d1caa08ff9c3068ee6c583aa3d32ff486a5e20efe85af0a578e38bb1ce9e2ba1afb1f7fe131bbc6fee63983fcecf82cb6f86ad823b785

Download Submit
memory/644-13-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/644-0-0x00007FFA52D83000-0x00007FFA52D85000-memory.dmp

Filesize
8KB

Download
memory/644-4-0x0000000002F50000-0x0000000002FA0000-memory.dmp

Filesize
320KB

Download
memory/644-7-0x00000000016F0000-0x00000000016F8000-memory.dmp

Filesize
32KB

Download
memory/644-6-0x0000000001710000-0x0000000001726000-memory.dmp

Filesize
88KB

Download
memory/644-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download
memory/644-220-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/644-8-0x0000000001730000-0x0000000001740000-memory.dmp

Filesize
64KB

Download
memory/644-10-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/644-11-0x0000000002F10000-0x0000000002F1C000-memory.dmp

Filesize
48KB

Download
memory/644-12-0x0000000002F20000-0x0000000002F2A000-memory.dmp

Filesize
40KB

Download
memory/644-3-0x00000000016C0000-0x00000000016DC000-memory.dmp

Filesize
112KB

Download
memory/644-14-0x0000000002F40000-0x0000000002F48000-memory.dmp

Filesize
32KB

Download
memory/644-15-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

Filesize
32KB

Download
memory/644-2-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/644-16-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/644-17-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/644-9-0x0000000001740000-0x0000000001748000-memory.dmp

Filesize
32KB

Download
memory/644-5-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/3832-155-0x0000018E4C3E0000-0x0000018E4C402000-memory.dmp

Filesize
136KB

Download
memory/6032-268-0x0000000000840000-0x00000000009E2000-memory.dmp

Filesize
1.6MB

Download