dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
159s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

1466f001f010dfed5838484c2fb25a56
SHA1

489c707fd9d43574e536b4da4f15d3965d57c2fc
SHA256

d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc
SHA512

35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0
SSDEEP

12288:4epPM2lx+HOqRo1lEBht1ylUyeewN3eJE3/oZ4DFWX4DBYFn9ducCSLEelT+wsHu:X0Vey/Olg5pwZesvCStZsbqSNz6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4748	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral6/memory/616-146-0x0000000000400000-0x000000000053A000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts tmp.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

5284 csrss.exe
4052 csrss.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tmp.exe

pid	process
5284	csrss.exe
4052	csrss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exetmp.execsrss.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.execsrss.exe

description pid process target process

PID 1152 set thread context of 616 1152 tmp.exe tmp.exe
PID 5284 set thread context of 4052 5284 csrss.exe csrss.exe

description	pid	process	target process
PID 1152 set thread context of 616	1152	tmp.exe	tmp.exe
PID 5284 set thread context of 4052	5284	csrss.exe	csrss.exe

Drops file in Program Files directory 11 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\WmiPrvSE.exe	tmp.exe
File created	C:\Program Files\MSBuild\winlogon.exe	tmp.exe
File created	C:\Program Files\MSBuild\cc11b995f2a76d	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\skins\27d1bcfc3c54e0	tmp.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	tmp.exe
File created	C:\Program Files (x86)\Internet Explorer\SearchApp.exe	tmp.exe
File created	C:\Program Files (x86)\Internet Explorer\38384e6a620884	tmp.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\24dbde2999530e	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\skins\System.exe	tmp.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SearchApp.exe	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Windows\DiagTrack\886983d96e3d3e	tmp.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\conhost.exe	tmp.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\088424020bedd6	tmp.exe
File created	C:\Windows\DiagTrack\csrss.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4928	schtasks.exe
4244	schtasks.exe
2184	schtasks.exe
1384	schtasks.exe
4076	schtasks.exe
3256	schtasks.exe
936	schtasks.exe
1564	schtasks.exe
4344	schtasks.exe
3464	schtasks.exe
1952	schtasks.exe
3552	schtasks.exe
1468	schtasks.exe
2364	schtasks.exe
628	schtasks.exe
5112	schtasks.exe
1608	schtasks.exe
3752	schtasks.exe
3568	schtasks.exe
2824	schtasks.exe
2872	schtasks.exe
4836	schtasks.exe
4520	schtasks.exe
4860	schtasks.exe
1568	schtasks.exe
4208	schtasks.exe
3604	schtasks.exe
3672	schtasks.exe
3060	schtasks.exe
960	schtasks.exe
4588	schtasks.exe
1668	schtasks.exe
4180	schtasks.exe
3640	schtasks.exe
3468	schtasks.exe
4264	schtasks.exe
2744	schtasks.exe
4844	schtasks.exe
3832	schtasks.exe
3404	schtasks.exe
1860	schtasks.exe
3428	schtasks.exe

Modifies registry class 2 IoCs

Processes:

tmp.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2828	powershell.exe
2828	powershell.exe
3448	powershell.exe
3448	powershell.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
616	tmp.exe
4552	powershell.exe
4552	powershell.exe
4324	powershell.exe
4324	powershell.exe
4084	powershell.exe
4084	powershell.exe
4956	powershell.exe
4956	powershell.exe
3108	powershell.exe
3108	powershell.exe
1460	powershell.exe
1460	powershell.exe
3160	powershell.exe
3160	powershell.exe
4448	powershell.exe
4448	powershell.exe
3572	powershell.exe
3572	powershell.exe
224	powershell.exe
224	powershell.exe
1648	powershell.exe
1648	powershell.exe
3692	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

tmp.exepowershell.exepowershell.exetmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1152	tmp.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	616	tmp.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	5284	csrss.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeDebugPrivilege	4052	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.exetmp.exe

description	pid	process	target process
PID 1152 wrote to memory of 2828	1152	tmp.exe	powershell.exe
PID 1152 wrote to memory of 2828	1152	tmp.exe	powershell.exe
PID 1152 wrote to memory of 2828	1152	tmp.exe	powershell.exe
PID 1152 wrote to memory of 2388	1152	tmp.exe	cmd.exe
PID 1152 wrote to memory of 2388	1152	tmp.exe	cmd.exe
PID 1152 wrote to memory of 2388	1152	tmp.exe	cmd.exe
PID 2388 wrote to memory of 3448	2388	cmd.exe	powershell.exe
PID 2388 wrote to memory of 3448	2388	cmd.exe	powershell.exe
PID 2388 wrote to memory of 3448	2388	cmd.exe	powershell.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 1152 wrote to memory of 616	1152	tmp.exe	tmp.exe
PID 616 wrote to memory of 4324	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4324	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4324	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4552	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4552	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4552	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4956	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4956	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4956	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3108	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3108	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3108	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4084	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4084	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4084	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1460	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1460	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1460	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3160	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3160	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3160	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4448	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4448	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4448	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3572	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3572	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3572	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 224	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 224	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 224	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1648	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1648	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1648	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3216	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3216	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 3216	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 4692	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 2456	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 2456	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 2456	616	tmp.exe	powershell.exe
PID 616 wrote to memory of 1380	616	tmp.exe	cmd.exe
PID 616 wrote to memory of 1380	616	tmp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\wininit.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\csrss.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\TrustedInstaller.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\conhost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WmiPrvSE.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\winlogon.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\System.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\spoolsv.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kzuKZGyJg0.bat"
3⤵
PID:1380

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2320

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1300

C:\Windows\DiagTrack\csrss.exe
"C:\Windows\DiagTrack\csrss.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:6132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Windows\DiagTrack\csrss.exe
C:\Windows\DiagTrack\csrss.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856d5ca4-e402-45b5-949f-021aa6c7fcaa.vbs"
6⤵
PID:1940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e7e8b01-b12e-42c4-9d23-bf0dd6206898.vbs"
6⤵
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\odt\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csrss.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
170a76c09a9df2043d100decefe31045

SHA1
f28d934655e4c1ab222c00bde8f92e4bab805eb0

SHA256
34a5e8d0f6e4e0d99d95da57b443d841da1454a2c836551c0b1806f0433bf588

SHA512
03032312b7a83347c2400178d55f6a2b4876c81a7d51bf73cc78f8afbf92460fcf1df941c32ae5e61597ecc7cc5731f0630feaeb617177ba183aff01bc67a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
4df050c707626318f2ff78dbc561765f

SHA1
e2b8c39500fbfa79f62a927821c62e3d5aa9f878

SHA256
3ff3fc121b80477f624761b5e92a11f36f79b7a3ff62602aac5d6059c489c878

SHA512
42c87628c966f9ba03595eb0ee10b5ff838c80e998899545e873a3acc9f37de99f9a689832ef4673a39e8a6aa9758a8f471ea2a98ad1d871476f02822cd206c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a86a406763afd0b4e5cac15211af8532

SHA1
2b30066d6e549a1a7163fa561ee8898046846c9f

SHA256
28cdfaedf272f3b810a443382beafa39d826f26f03418399523c7045df82ba7a

SHA512
908970d8d2046e557bb1bdc9a08268c37982943574aa54fd7ae8ccb022c9dd354f9df79c1eda8fa87ee293a76db71c21deba0da2a52af193dcbeed956a4dd257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8a823ca43ad141fe7c6c708d10856558

SHA1
f0e61cf8184a8c33ef14fb281049c1569abd9831

SHA256
827ace572b46fc4c1534dd4f60cb874d953c7aa81f987093d0b0d65f7d76f5cf

SHA512
3d51fd8f8a62df5ef896647992e23ddbb5be07860c29ed9eb92b3af382bd83f1a5fe04a5130d5e1c4e1436b26c801e10d8262b8d72a7d59fe5f93c5893f69b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
72fe700d7cb357084d2ccaaaef7719f5

SHA1
24c4cb1309364363dd8d0100c86cc0a280c1af75

SHA256
9b3927fe643b30f0c99753e91f42b9d6101d286b53a2b4394d276e3ee0002e64

SHA512
6ea6c3cc9c0a6b6fd23c1b5641787392a403181da943ddf61e032e4b0336489760aa184c8fabda6782c2053f6490941a1279943fc94bd5f07fe7b87848d3aa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
72fe700d7cb357084d2ccaaaef7719f5

SHA1
24c4cb1309364363dd8d0100c86cc0a280c1af75

SHA256
9b3927fe643b30f0c99753e91f42b9d6101d286b53a2b4394d276e3ee0002e64

SHA512
6ea6c3cc9c0a6b6fd23c1b5641787392a403181da943ddf61e032e4b0336489760aa184c8fabda6782c2053f6490941a1279943fc94bd5f07fe7b87848d3aa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bc51f396f3f52ac475f287cef4a619b7

SHA1
620c9e86fc14ff1e588fec82e3cbd8bf0b6cbb09

SHA256
fa44a9b579ee5e1d9b2102679fca90f40563073ce5f5b00940aac437d78c1521

SHA512
4ad6ff5a00cd4a4fa3215c941125fb4c3a93bf401647abbe79bdbca8b073307669b2ae613c387ce34e5664a6d94a5f7fc7ecf20889f3447b477bd6edd06542c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bc51f396f3f52ac475f287cef4a619b7

SHA1
620c9e86fc14ff1e588fec82e3cbd8bf0b6cbb09

SHA256
fa44a9b579ee5e1d9b2102679fca90f40563073ce5f5b00940aac437d78c1521

SHA512
4ad6ff5a00cd4a4fa3215c941125fb4c3a93bf401647abbe79bdbca8b073307669b2ae613c387ce34e5664a6d94a5f7fc7ecf20889f3447b477bd6edd06542c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bc51f396f3f52ac475f287cef4a619b7

SHA1
620c9e86fc14ff1e588fec82e3cbd8bf0b6cbb09

SHA256
fa44a9b579ee5e1d9b2102679fca90f40563073ce5f5b00940aac437d78c1521

SHA512
4ad6ff5a00cd4a4fa3215c941125fb4c3a93bf401647abbe79bdbca8b073307669b2ae613c387ce34e5664a6d94a5f7fc7ecf20889f3447b477bd6edd06542c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e7cf13a5c40978461d021533a998d2cf

SHA1
73bbd264f0319175f3abb84f23eb98924cd129d1

SHA256
e1d88a631b6886ef90eb728a28616172327e78853567e86e9a04dcd2bbb0ca85

SHA512
9b2150187540dbff8b64e7591648816a47656f34a2fc25bdb4c1ebb14e37b7e8955c81bfd8f3a868b92f6cd7299689b79dde70317e9b84e98152748bca7178d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e983f98bb4fb23bfbd3e85cdf874066a

SHA1
4e429934c8829031ff05ed6ec7bc6c2515df39c5

SHA256
7b5a65c8d8beed29620d5446a653e40ca838b69a4d8250557f22ba6ae9328614

SHA512
7ccde85bf57bcfc02bb1048afb8a441e83b22152adafaff61be5bad4f9eb8e5d9aa67e2e63382064f433734cf7ac6a8d0c5732aa6a271ee2e1da428273ef652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8c935981f83ae9e85979a677d3f41442

SHA1
dd1b42d6fe04752951c05ac7324bfc5b286cb7a9

SHA256
dd259adc73eaa5c4186cdbc196126e58df218d737327630cae1038c050168cda

SHA512
45ba947066f1902facea6338916d6315b33c9a9786e14fb0c79fc6f273a116277c0b1cdf9cc04dcce10400170588ee782c5c74c74ebdac9d1deb7aba3042e342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8c935981f83ae9e85979a677d3f41442

SHA1
dd1b42d6fe04752951c05ac7324bfc5b286cb7a9

SHA256
dd259adc73eaa5c4186cdbc196126e58df218d737327630cae1038c050168cda

SHA512
45ba947066f1902facea6338916d6315b33c9a9786e14fb0c79fc6f273a116277c0b1cdf9cc04dcce10400170588ee782c5c74c74ebdac9d1deb7aba3042e342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8c935981f83ae9e85979a677d3f41442

SHA1
dd1b42d6fe04752951c05ac7324bfc5b286cb7a9

SHA256
dd259adc73eaa5c4186cdbc196126e58df218d737327630cae1038c050168cda

SHA512
45ba947066f1902facea6338916d6315b33c9a9786e14fb0c79fc6f273a116277c0b1cdf9cc04dcce10400170588ee782c5c74c74ebdac9d1deb7aba3042e342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
934cd56f05162671ac984f49514b951f

SHA1
1c073929418400734011964a465f7c81fa0180f0

SHA256
3a4d89f98a8f9de7e3adc2dff290b36d3444893f846121057d03700a498e6969

SHA512
9ba296f6db9fc5fa5b364c1e082125815a0654052445eb77d37a490ec427b2cc7472a01f571329378eb34058d0168a7feae447d48c2004d1334246b13570608f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e7e8b01-b12e-42c4-9d23-bf0dd6206898.vbs
Filesize
482B

MD5
9359f26877089d3bfa632d3625e77e30

SHA1
3d2133302e2411a0fdfdc0c7679b1f887c7fe4be

SHA256
469bd02355fb4dca97e12c0d596d472f4c086df117900f19ccc41428425024ab

SHA512
2e1238772bb1d071839e4f63f58238b29c37d34990c6f11842ce9bf14e4cacb61609aadf3ffcdc4bcbaf5bce3b116da253c272aec669676d0e2dc050ddc118a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\856d5ca4-e402-45b5-949f-021aa6c7fcaa.vbs
Filesize
706B

MD5
f47153677df83f755d47c1f3175eb085

SHA1
7731dcf8aad9335b2df8dcc13182138166f03a05

SHA256
6f476d696caca8cb6fb157adfec013dac8c2ed76886a4ef86392116aac68ad56

SHA512
685eeb598d6ef05a52507972a5ada53c9a433adc3c76b76a3f24e53ef8508af9c148bc960ab9c527f81dd1412432d556cb2d84fc7720e826d8d02651c7a8d112

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzuKZGyJg0.bat
Filesize
195B

MD5
66cd4ef106edc50a8932a4c073a0f469

SHA1
66fd46af49a0780218c68bae421b6887329b807b

SHA256
afd5769285b64d68a0a89431d3b116785c37fe7680e5c5e777116ba1d90bdf78

SHA512
1e9e25a497ed679bc35ce91737c94952aad5a5afc3febd2226a4376b7f2ebb0c7b264899e6e6b71c3837d425db90bbe10a4afa5ae1b559dba16b8d7a5c06432b

Download Submit
C:\Windows\DiagTrack\csrss.exe
Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Windows\DiagTrack\csrss.exe
Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Windows\DiagTrack\csrss.exe
Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
memory/224-188-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/224-167-0x0000000000000000-mapping.dmp

Download
memory/616-152-0x0000000005AE0000-0x0000000005B30000-memory.dmp

Filesize
320KB

Download
memory/616-145-0x0000000000000000-mapping.dmp

Download
memory/616-146-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/616-149-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/616-150-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/1152-133-0x0000000008AC0000-0x0000000008AE2000-memory.dmp

Filesize
136KB

Download
memory/1152-132-0x0000000000960000-0x0000000000A84000-memory.dmp

Filesize
1.1MB

Download
memory/1300-179-0x0000000000000000-mapping.dmp

Download
memory/1380-175-0x0000000000000000-mapping.dmp

Download
memory/1460-186-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/1460-163-0x0000000000000000-mapping.dmp

Download
memory/1648-193-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/1648-169-0x0000000000000000-mapping.dmp

Download
memory/1940-329-0x0000000000000000-mapping.dmp

Download
memory/2320-178-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x0000000000000000-mapping.dmp

Download
memory/2456-173-0x0000000000000000-mapping.dmp

Download
memory/2456-192-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/2828-140-0x0000000007210000-0x000000000788A000-memory.dmp

Filesize
6.5MB

Download
memory/2828-134-0x0000000000000000-mapping.dmp

Download
memory/2828-135-0x0000000004610000-0x0000000004646000-memory.dmp

Filesize
216KB

Download
memory/2828-136-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/2828-137-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/2828-138-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/2828-139-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/2828-141-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/3108-184-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/3108-161-0x0000000000000000-mapping.dmp

Download
memory/3160-164-0x0000000000000000-mapping.dmp

Download
memory/3160-185-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/3216-194-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/3216-170-0x0000000000000000-mapping.dmp

Download
memory/3448-153-0x0000000006770000-0x00000000067A2000-memory.dmp

Filesize
200KB

Download
memory/3448-154-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/3448-155-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3448-156-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/3448-157-0x00000000077A0000-0x0000000007836000-memory.dmp

Filesize
600KB

Download
memory/3448-171-0x0000000006060000-0x000000000606E000-memory.dmp

Filesize
56KB

Download
memory/3448-174-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/3448-143-0x0000000000000000-mapping.dmp

Download
memory/3448-176-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/3572-190-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/3572-166-0x0000000000000000-mapping.dmp

Download
memory/3692-168-0x0000000000000000-mapping.dmp

Download
memory/3692-189-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4052-323-0x0000000000000000-mapping.dmp

Download
memory/4084-162-0x0000000000000000-mapping.dmp

Download
memory/4084-182-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4324-158-0x0000000000000000-mapping.dmp

Download
memory/4324-181-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4448-165-0x0000000000000000-mapping.dmp

Download
memory/4448-187-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4552-159-0x0000000000000000-mapping.dmp

Download
memory/4552-180-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4692-172-0x0000000000000000-mapping.dmp

Download
memory/4692-191-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/4956-160-0x0000000000000000-mapping.dmp

Download
memory/4956-183-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/5176-325-0x0000000000000000-mapping.dmp

Download
memory/5284-223-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-229-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-253-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-255-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-257-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-259-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-249-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-247-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-195-0x0000000000000000-mapping.dmp

Download
memory/5284-245-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-243-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-241-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-239-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-237-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-235-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-233-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-231-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-251-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-227-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-225-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-221-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-219-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-217-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-215-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-213-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-211-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-198-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-207-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-209-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-205-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-203-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-201-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5284-199-0x0000000006C30000-0x0000000006C71000-memory.dmp

Filesize
260KB

Download
memory/5336-330-0x0000000000000000-mapping.dmp

Download
memory/5812-305-0x0000000000000000-mapping.dmp

Download
memory/6132-322-0x0000000000000000-mapping.dmp

Download