Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
2c84169bc39cd8d6dd403fcec377131c.exe
Resource
win7-20220812-en
General
-
Target
2c84169bc39cd8d6dd403fcec377131c.exe
-
Size
4MB
-
MD5
2c84169bc39cd8d6dd403fcec377131c
-
SHA1
e2ea0fbe34f84d748745bb558414ebb829ed7031
-
SHA256
8cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276
-
SHA512
8a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat 43 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe2c84169bc39cd8d6dd403fcec377131c.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5012 schtasks.exe 2192 schtasks.exe 1864 schtasks.exe 952 schtasks.exe 4052 schtasks.exe 2492 schtasks.exe 3700 schtasks.exe 1616 schtasks.exe 2772 schtasks.exe 4108 schtasks.exe 1572 schtasks.exe 4016 schtasks.exe 4116 schtasks.exe 1540 schtasks.exe 2356 schtasks.exe 2260 schtasks.exe 4488 schtasks.exe 1796 schtasks.exe 2960 schtasks.exe 2676 schtasks.exe 4912 schtasks.exe 4436 schtasks.exe 4796 schtasks.exe 3980 schtasks.exe 4940 schtasks.exe 3048 schtasks.exe 1180 schtasks.exe 3296 schtasks.exe 3948 schtasks.exe 3968 schtasks.exe 4472 schtasks.exe 4912 schtasks.exe 5068 schtasks.exe 4692 schtasks.exe 3420 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2c84169bc39cd8d6dd403fcec377131c.exe 1324 schtasks.exe 1332 schtasks.exe 3968 schtasks.exe 4548 schtasks.exe 1628 schtasks.exe 4568 schtasks.exe 1804 schtasks.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 4316 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 4316 schtasks.exe -
Processes:
2c84169bc39cd8d6dd403fcec377131c.exe2c84169bc39cd8d6dd403fcec377131c.execonhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe -
Executes dropped EXE 8 IoCs
Processes:
tmp704E.tmp.exetmp704E.tmp.exe2c84169bc39cd8d6dd403fcec377131c.exetmpA112.tmp.exetmpA112.tmp.execonhost.exetmp77CB.tmp.exetmp77CB.tmp.exepid process 5052 tmp704E.tmp.exe 3936 tmp704E.tmp.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 1152 tmpA112.tmp.exe 5088 tmpA112.tmp.exe 2024 conhost.exe 552 tmp77CB.tmp.exe 1532 tmp77CB.tmp.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2c84169bc39cd8d6dd403fcec377131c.exe2c84169bc39cd8d6dd403fcec377131c.execonhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 2c84169bc39cd8d6dd403fcec377131c.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 2c84169bc39cd8d6dd403fcec377131c.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation conhost.exe -
Processes:
2c84169bc39cd8d6dd403fcec377131c.execonhost.exe2c84169bc39cd8d6dd403fcec377131c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 ipinfo.io 38 ipinfo.io -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tmp704E.tmp.exetmpA112.tmp.exetmp77CB.tmp.exedescription pid process target process PID 5052 set thread context of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 1152 set thread context of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 552 set thread context of 1532 552 tmp77CB.tmp.exe tmp77CB.tmp.exe -
Drops file in Program Files directory 15 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24 2c84169bc39cd8d6dd403fcec377131c.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\088424020bedd6 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\Windows NT\TableTextService\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\Windows NT\TableTextService\088424020bedd6 2c84169bc39cd8d6dd403fcec377131c.exe File opened for modification C:\Program Files\Windows NT\TableTextService\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe File opened for modification C:\Program Files (x86)\Common Files\Idle.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files (x86)\Common Files\Idle.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\088424020bedd6 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Program Files (x86)\Common Files\6ccacd8608530f 2c84169bc39cd8d6dd403fcec377131c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe 2c84169bc39cd8d6dd403fcec377131c.exe -
Drops file in Windows directory 3 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe 2c84169bc39cd8d6dd403fcec377131c.exe File created C:\Windows\ServiceProfiles\NetworkService\Videos\e978f868350d50 2c84169bc39cd8d6dd403fcec377131c.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe 2c84169bc39cd8d6dd403fcec377131c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4912 schtasks.exe 2676 schtasks.exe 2772 schtasks.exe 3968 schtasks.exe 4940 schtasks.exe 4108 schtasks.exe 2356 schtasks.exe 4472 schtasks.exe 1796 schtasks.exe 4016 schtasks.exe 1628 schtasks.exe 4116 schtasks.exe 4488 schtasks.exe 3420 schtasks.exe 1804 schtasks.exe 3700 schtasks.exe 1540 schtasks.exe 3968 schtasks.exe 3980 schtasks.exe 1864 schtasks.exe 3296 schtasks.exe 3948 schtasks.exe 4052 schtasks.exe 5012 schtasks.exe 1180 schtasks.exe 2260 schtasks.exe 4548 schtasks.exe 4568 schtasks.exe 952 schtasks.exe 2492 schtasks.exe 4796 schtasks.exe 2960 schtasks.exe 1324 schtasks.exe 4436 schtasks.exe 3048 schtasks.exe 1332 schtasks.exe 4912 schtasks.exe 5068 schtasks.exe 4692 schtasks.exe 1572 schtasks.exe 1616 schtasks.exe 2192 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exe2c84169bc39cd8d6dd403fcec377131c.execonhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2c84169bc39cd8d6dd403fcec377131c.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 2c84169bc39cd8d6dd403fcec377131c.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings conhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe2c84169bc39cd8d6dd403fcec377131c.exepowershell.exepowershell.exepid process 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 1928 2c84169bc39cd8d6dd403fcec377131c.exe 4544 powershell.exe 4332 powershell.exe 1252 powershell.exe 1252 powershell.exe 4448 powershell.exe 4448 powershell.exe 4924 powershell.exe 4924 powershell.exe 3412 powershell.exe 3412 powershell.exe 4652 powershell.exe 4652 powershell.exe 872 powershell.exe 872 powershell.exe 5000 powershell.exe 5000 powershell.exe 4560 powershell.exe 4560 powershell.exe 4988 powershell.exe 4988 powershell.exe 816 powershell.exe 816 powershell.exe 4332 powershell.exe 4332 powershell.exe 4544 powershell.exe 4544 powershell.exe 4924 powershell.exe 4448 powershell.exe 4652 powershell.exe 1252 powershell.exe 3412 powershell.exe 816 powershell.exe 872 powershell.exe 5000 powershell.exe 4560 powershell.exe 4988 powershell.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 2404 2c84169bc39cd8d6dd403fcec377131c.exe 1184 powershell.exe 1184 powershell.exe 3328 powershell.exe 3328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe2c84169bc39cd8d6dd403fcec377131c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exedescription pid process Token: SeDebugPrivilege 1928 2c84169bc39cd8d6dd403fcec377131c.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 2404 2c84169bc39cd8d6dd403fcec377131c.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2024 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 2024 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.exetmp704E.tmp.exe2c84169bc39cd8d6dd403fcec377131c.exetmpA112.tmp.exedescription pid process target process PID 1928 wrote to memory of 5052 1928 2c84169bc39cd8d6dd403fcec377131c.exe tmp704E.tmp.exe PID 1928 wrote to memory of 5052 1928 2c84169bc39cd8d6dd403fcec377131c.exe tmp704E.tmp.exe PID 1928 wrote to memory of 5052 1928 2c84169bc39cd8d6dd403fcec377131c.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 5052 wrote to memory of 3936 5052 tmp704E.tmp.exe tmp704E.tmp.exe PID 1928 wrote to memory of 4448 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4448 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4332 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4332 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4924 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4924 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 1252 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 1252 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4544 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4544 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 3412 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 3412 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4652 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4652 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 872 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 872 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 5000 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 5000 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4560 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4560 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4988 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 4988 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 816 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 816 1928 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 1928 wrote to memory of 2404 1928 2c84169bc39cd8d6dd403fcec377131c.exe 2c84169bc39cd8d6dd403fcec377131c.exe PID 1928 wrote to memory of 2404 1928 2c84169bc39cd8d6dd403fcec377131c.exe 2c84169bc39cd8d6dd403fcec377131c.exe PID 2404 wrote to memory of 1152 2404 2c84169bc39cd8d6dd403fcec377131c.exe tmpA112.tmp.exe PID 2404 wrote to memory of 1152 2404 2c84169bc39cd8d6dd403fcec377131c.exe tmpA112.tmp.exe PID 2404 wrote to memory of 1152 2404 2c84169bc39cd8d6dd403fcec377131c.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 1152 wrote to memory of 5088 1152 tmpA112.tmp.exe tmpA112.tmp.exe PID 2404 wrote to memory of 3328 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 3328 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 1184 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 1184 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 1696 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 1696 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 764 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 764 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 688 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 688 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4692 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4692 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 5064 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 5064 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4024 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4024 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4308 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe PID 2404 wrote to memory of 4308 2404 2c84169bc39cd8d6dd403fcec377131c.exe powershell.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
2c84169bc39cd8d6dd403fcec377131c.execonhost.exe2c84169bc39cd8d6dd403fcec377131c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2c84169bc39cd8d6dd403fcec377131c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.bat"3⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe"C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3daaba4-a7ca-4c9f-a547-98259f9c3973.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa4933b-5779-461f-aa4d-3cedbf2c4f00.vbs"5⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exeFilesize
4MB
MD52c84169bc39cd8d6dd403fcec377131c
SHA1e2ea0fbe34f84d748745bb558414ebb829ed7031
SHA2568cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276
SHA5128a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5
-
C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exeFilesize
4MB
MD52c84169bc39cd8d6dd403fcec377131c
SHA1e2ea0fbe34f84d748745bb558414ebb829ed7031
SHA2568cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276
SHA5128a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c84169bc39cd8d6dd403fcec377131c.exe.logFilesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c6c940df49fc678d1c74fea3c57a32f9
SHA179edd715358a82e6d29970998ff2e9b235ea4217
SHA2564e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a
SHA5123c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c6c940df49fc678d1c74fea3c57a32f9
SHA179edd715358a82e6d29970998ff2e9b235ea4217
SHA2564e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a
SHA5123c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8478294527bc11b50f13186fc7c114e
SHA14f183fdc2b56fdaea9001248fc89aa748af257c4
SHA256dde84811ceb2d1ebcf5b3d6128d0ccce673bb1a5324bffd444300a00c60f32a5
SHA51272bda9eb9a4199043bbf538af4a30eea44e23efeafcaa0ad9e83ab18ed37823fafe8d4e833afe5f686c30f2ed46cce2ecf16c34bf6a2f4cdc09e711568197655
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cf79136142125a14a0d763b303b2effd
SHA120c496b9c84ddb9c365d6c59823660768c9dfdf7
SHA25638297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3
SHA51237e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cf79136142125a14a0d763b303b2effd
SHA120c496b9c84ddb9c365d6c59823660768c9dfdf7
SHA25638297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3
SHA51237e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561285b97e7447efc2aa5d39dd466b2a5
SHA1b277983b34aad1ca8af50a5208a610bef81566cf
SHA2560c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8
SHA512f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561285b97e7447efc2aa5d39dd466b2a5
SHA1b277983b34aad1ca8af50a5208a610bef81566cf
SHA2560c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8
SHA512f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561285b97e7447efc2aa5d39dd466b2a5
SHA1b277983b34aad1ca8af50a5208a610bef81566cf
SHA2560c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8
SHA512f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e04b405b691748ff696004cd139851bf
SHA14f9c2f9284ef3a46e0ba373c7335b0341237c64a
SHA2566789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4
SHA512bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e04b405b691748ff696004cd139851bf
SHA14f9c2f9284ef3a46e0ba373c7335b0341237c64a
SHA2566789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4
SHA512bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e04b405b691748ff696004cd139851bf
SHA14f9c2f9284ef3a46e0ba373c7335b0341237c64a
SHA2566789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4
SHA512bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e04b405b691748ff696004cd139851bf
SHA14f9c2f9284ef3a46e0ba373c7335b0341237c64a
SHA2566789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4
SHA512bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e04b405b691748ff696004cd139851bf
SHA14f9c2f9284ef3a46e0ba373c7335b0341237c64a
SHA2566789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4
SHA512bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46
-
C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exeFilesize
4MB
MD52c84169bc39cd8d6dd403fcec377131c
SHA1e2ea0fbe34f84d748745bb558414ebb829ed7031
SHA2568cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276
SHA5128a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5
-
C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.batFilesize
221B
MD507b93e384816cd0bfaa55206545c3d11
SHA1e191220e55adc0e5faaa11c64191aca89e77c92e
SHA2568678aac990e7cfe99e037d885e18052c4141d7305e65b45d6ea266bc32705d22
SHA512f2dc7c0394177e2ef9d947609c12cc8184e728b4d2438befffd1b6ad49bdca72b17a0066d9984a56509d6bd0772e390cb551d487501092f58f92bc70675d592b
-
C:\Users\Admin\AppData\Local\Temp\b3daaba4-a7ca-4c9f-a547-98259f9c3973.vbsFilesize
732B
MD5f7807bdefa9ffb8d5ab0389f762277f5
SHA13872a50bbc81937059c8f6294aa55b2168f459d1
SHA256b80b391a9bb622c85df60e1ff3e27afa7987c27a9d85f15a6cbd2841a6c3988e
SHA512161c0a818edd6381a8f4859621304fb76d81cea01aac951c7b81cee7fe1f44781be86419adb79dfc423be8540714d2d295e5a37db106781924679324139a9546
-
C:\Users\Admin\AppData\Local\Temp\dfa4933b-5779-461f-aa4d-3cedbf2c4f00.vbsFilesize
508B
MD586a13f5f4cb39aa259d7625c3f451512
SHA1483b3508488ece996c08b4f1b63dc8e4c84d1fa4
SHA2567cbdb8fd5615ef0829c8747e27d42e9b3fc3a577950d1ce5fd893e9fdc18bcf9
SHA512c6250e5d42f9323fcc98d0a34c510a7490a553b740496a24d8c8eccf3473dbe894bdcc868ef208bbdf2ca45c1c4b5218f46011b04961fd1c553ada8268d05291
-
C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
memory/484-269-0x0000000000000000-mapping.dmp
-
memory/552-264-0x0000000000B90000-0x0000000000B93000-memory.dmpFilesize
12KB
-
memory/552-261-0x0000000000000000-mapping.dmp
-
memory/688-252-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/688-224-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/688-209-0x0000000000000000-mapping.dmp
-
memory/764-240-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/764-220-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/764-208-0x0000000000000000-mapping.dmp
-
memory/816-165-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/816-195-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/816-155-0x0000000000000000-mapping.dmp
-
memory/872-151-0x0000000000000000-mapping.dmp
-
memory/872-170-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/872-197-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1152-174-0x0000000000000000-mapping.dmp
-
memory/1184-218-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1184-235-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1184-206-0x0000000000000000-mapping.dmp
-
memory/1252-161-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1252-147-0x0000000000000000-mapping.dmp
-
memory/1252-182-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1532-268-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1532-265-0x0000000000000000-mapping.dmp
-
memory/1696-207-0x0000000000000000-mapping.dmp
-
memory/1696-244-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1696-223-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1928-169-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1928-132-0x0000000000ED0000-0x00000000013C4000-memory.dmpFilesize
4MB
-
memory/1928-135-0x000000001DA00000-0x000000001DF28000-memory.dmpFilesize
5MB
-
memory/1928-133-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/1928-134-0x0000000003820000-0x0000000003870000-memory.dmpFilesize
320KB
-
memory/2024-274-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2024-260-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2024-257-0x0000000000000000-mapping.dmp
-
memory/2024-273-0x000000001F080000-0x000000001F242000-memory.dmpFilesize
1MB
-
memory/2392-255-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2392-233-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2392-216-0x0000000000000000-mapping.dmp
-
memory/2404-166-0x0000000000000000-mapping.dmp
-
memory/2404-222-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2404-204-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2404-173-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2824-245-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2824-227-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/2824-214-0x0000000000000000-mapping.dmp
-
memory/3328-205-0x0000000000000000-mapping.dmp
-
memory/3328-217-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/3328-239-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/3412-194-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/3412-162-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/3412-149-0x0000000000000000-mapping.dmp
-
memory/3700-232-0x0000000000000000-mapping.dmp
-
memory/3832-219-0x0000000000000000-mapping.dmp
-
memory/3936-140-0x0000000000000000-mapping.dmp
-
memory/3936-143-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3936-141-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4024-230-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4024-256-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4024-212-0x0000000000000000-mapping.dmp
-
memory/4308-254-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4308-228-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4308-213-0x0000000000000000-mapping.dmp
-
memory/4332-183-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4332-145-0x0000000000000000-mapping.dmp
-
memory/4332-160-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4392-270-0x0000000000000000-mapping.dmp
-
memory/4448-144-0x0000000000000000-mapping.dmp
-
memory/4448-187-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4448-157-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4544-156-0x00000264E75A0000-0x00000264E75C2000-memory.dmpFilesize
136KB
-
memory/4544-148-0x0000000000000000-mapping.dmp
-
memory/4544-159-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4544-184-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4560-171-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4560-153-0x0000000000000000-mapping.dmp
-
memory/4560-199-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4652-150-0x0000000000000000-mapping.dmp
-
memory/4652-186-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4652-163-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4692-210-0x0000000000000000-mapping.dmp
-
memory/4692-238-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4692-225-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4924-158-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4924-185-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4924-146-0x0000000000000000-mapping.dmp
-
memory/4944-253-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4944-215-0x0000000000000000-mapping.dmp
-
memory/4944-231-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4988-203-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4988-172-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/4988-154-0x0000000000000000-mapping.dmp
-
memory/5000-152-0x0000000000000000-mapping.dmp
-
memory/5000-201-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/5000-164-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/5052-139-0x000000000124B000-0x0000000001251000-memory.dmpFilesize
24KB
-
memory/5052-136-0x0000000000000000-mapping.dmp
-
memory/5064-226-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/5064-211-0x0000000000000000-mapping.dmp
-
memory/5064-246-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10MB
-
memory/5088-189-0x0000000000000000-mapping.dmp