dcrat | c00b5a8c5635fbf1075f5048ee4ef28f9926f2e5d72a903e1a10cbdad1812de3

Analysis

max time kernel
38s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FGZlVYbGGS.exe
Size

2.9MB
MD5

f005ea5a727f0543d559c4d430c9078b
SHA1

a671eac2ca2ae7eb39980f9cca0261b346246152
SHA256

c00b5a8c5635fbf1075f5048ee4ef28f9926f2e5d72a903e1a10cbdad1812de3
SHA512

ea69ebef2c24158c94713e5b9afe426c105d350163fb87b56c0c1bb684a0dcd40b5fd789b6fbdffaaa25b70bedb8690043e3bc0816fdef2f72a3681792211fc6
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1280	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

FGZlVYbGGS.exesihost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4872-132-0x0000000000D90000-0x0000000001076000-memory.dmp	dcrat
C:\Program Files\Java\sihost.exe	dcrat
C:\Program Files\Java\sihost.exe	dcrat
behavioral2/memory/2764-161-0x00000000008C0000-0x0000000000BA6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

2764 sihost.exe

pid	process
2764	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FGZlVYbGGS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	FGZlVYbGGS.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

FGZlVYbGGS.exesihost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Drops file in Program Files directory 24 IoCs

Processes:

FGZlVYbGGS.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\c5b4cb5e9653cc	FGZlVYbGGS.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	FGZlVYbGGS.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9	FGZlVYbGGS.exe
File created	C:\Program Files (x86)\Windows Mail\SearchApp.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SearchApp.exe	FGZlVYbGGS.exe
File created	C:\Program Files (x86)\Windows Mail\38384e6a620884	FGZlVYbGGS.exe
File created	C:\Program Files\Java\sihost.exe	FGZlVYbGGS.exe
File created	C:\Program Files\Java\66fc9ff0ee96c2	FGZlVYbGGS.exe
File created	C:\Program Files (x86)\Microsoft\Temp\services.exe	FGZlVYbGGS.exe
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Java\RCX80C4.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Java\sihost.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX8BC4.tmp	FGZlVYbGGS.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe	FGZlVYbGGS.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX7370.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\services.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	FGZlVYbGGS.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX8355.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX8615.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX9917.tmp	FGZlVYbGGS.exe

Drops file in Windows directory 12 IoCs

Processes:

FGZlVYbGGS.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\Idle.exe	FGZlVYbGGS.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\ea1d8f6d871115	FGZlVYbGGS.exe
File created	C:\Windows\L2Schemas\dllhost.exe	FGZlVYbGGS.exe
File opened for modification	C:\Windows\ServiceProfiles\Idle.exe	FGZlVYbGGS.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\upfc.exe	FGZlVYbGGS.exe
File opened for modification	C:\Windows\L2Schemas\RCX9657.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Windows\L2Schemas\dllhost.exe	FGZlVYbGGS.exe
File created	C:\Windows\ServiceProfiles\6ccacd8608530f	FGZlVYbGGS.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\upfc.exe	FGZlVYbGGS.exe
File created	C:\Windows\L2Schemas\5940a34987c991	FGZlVYbGGS.exe
File opened for modification	C:\Windows\ServiceProfiles\RCX8E75.tmp	FGZlVYbGGS.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCX93B6.tmp	FGZlVYbGGS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
380	schtasks.exe
1076	schtasks.exe
4252	schtasks.exe
5096	schtasks.exe
3132	schtasks.exe
4664	schtasks.exe
4284	schtasks.exe
1664	schtasks.exe
4868	schtasks.exe
4496	schtasks.exe
3616	schtasks.exe
5020	schtasks.exe
4580	schtasks.exe
540	schtasks.exe
1648	schtasks.exe
1516	schtasks.exe
3868	schtasks.exe
1152	schtasks.exe
3304	schtasks.exe
3128	schtasks.exe
228	schtasks.exe
4640	schtasks.exe
5116	schtasks.exe
3680	schtasks.exe
2112	schtasks.exe
2572	schtasks.exe
1128	schtasks.exe
4964	schtasks.exe
4308	schtasks.exe
3608	schtasks.exe
1504	schtasks.exe
1132	schtasks.exe
4612	schtasks.exe
1588	schtasks.exe
1632	schtasks.exe
4084	schtasks.exe
1060	schtasks.exe
1508	schtasks.exe
4428	schtasks.exe
4288	schtasks.exe
3596	schtasks.exe
5064	schtasks.exe
1352	schtasks.exe
5000	schtasks.exe
3692	schtasks.exe

Modifies registry class 1 IoCs

Processes:

FGZlVYbGGS.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ FGZlVYbGGS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FGZlVYbGGS.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

FGZlVYbGGS.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exe

pid	process
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
4872	FGZlVYbGGS.exe
5080	powershell.exe
3524	powershell.exe
3524	powershell.exe
4984	powershell.exe
4984	powershell.exe
3956	powershell.exe
3956	powershell.exe
4504	powershell.exe
4504	powershell.exe
3752	powershell.exe
3752	powershell.exe
4724	powershell.exe
4724	powershell.exe
2992	powershell.exe
2992	powershell.exe
4264	powershell.exe
4264	powershell.exe
2896	powershell.exe
2896	powershell.exe
3256	powershell.exe
3256	powershell.exe
2168	powershell.exe
2168	powershell.exe
5080	powershell.exe
5080	powershell.exe
4984	powershell.exe
2992	powershell.exe
4504	powershell.exe
3524	powershell.exe
3524	powershell.exe
3956	powershell.exe
3752	powershell.exe
3256	powershell.exe
4724	powershell.exe
4264	powershell.exe
2896	powershell.exe
2168	powershell.exe
2764	sihost.exe
2764	sihost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

FGZlVYbGGS.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exe

description	pid	process
Token: SeDebugPrivilege	4872	FGZlVYbGGS.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2764	sihost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

FGZlVYbGGS.exe

description	pid	process	target process
PID 4872 wrote to memory of 5080	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 5080	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3524	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3524	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4984	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4984	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4504	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4504	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3752	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3752	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4264	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4264	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3956	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3956	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2896	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2896	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4724	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 4724	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2992	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2992	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3256	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 3256	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2168	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2168	4872	FGZlVYbGGS.exe	powershell.exe
PID 4872 wrote to memory of 2764	4872	FGZlVYbGGS.exe	sihost.exe
PID 4872 wrote to memory of 2764	4872	FGZlVYbGGS.exe	sihost.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

FGZlVYbGGS.exesihost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

C:\Users\Admin\AppData\Local\Temp\FGZlVYbGGS.exe
"C:\Users\Admin\AppData\Local\Temp\FGZlVYbGGS.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Program Files\Java\sihost.exe
"C:\Program Files\Java\sihost.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c20910d-4b3c-4dc8-bcf7-4ad074771e4d.vbs"
3⤵
PID:420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d16b3b1-1892-4762-915d-83beb45f39fc.vbs"
3⤵
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3424

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\sihost.exe
Filesize
2.9MB

MD5
c3dbd4aae02cd3690db78048b3d42307

SHA1
d042b5d3914dfec3d71ddeb6423055f1eb77ce73

SHA256
2e9e05188a04252c024728d30c2b8fb798e9a92666d294cbaff7e11f84649838

SHA512
af4b5284873c5093792ec498da816bd388d1abcf62add460acf84d01055f2ae0029a5f72e20ef81250e0582e3f1de96d721f80263b27f2c81b231ff54446a5bc

Download Submit
C:\Program Files\Java\sihost.exe
Filesize
2.9MB

MD5
c3dbd4aae02cd3690db78048b3d42307

SHA1
d042b5d3914dfec3d71ddeb6423055f1eb77ce73

SHA256
2e9e05188a04252c024728d30c2b8fb798e9a92666d294cbaff7e11f84649838

SHA512
af4b5284873c5093792ec498da816bd388d1abcf62add460acf84d01055f2ae0029a5f72e20ef81250e0582e3f1de96d721f80263b27f2c81b231ff54446a5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c20910d-4b3c-4dc8-bcf7-4ad074771e4d.vbs
Filesize
708B

MD5
736293ff3eb00de762f6885c7dd84c22

SHA1
ff204a733ec6bdf22032adfc309b56628a569488

SHA256
cc25cda929ad3f64644aea8cb92f24d35efc2d544864997f4f68b86638f9f5dc

SHA512
ecf5d3cecfa3b5b2b0ebf5507088fd460df675f94b9db4261cf252e2daaa16437221266f782549443229bdb8efff1ae5b3c6cde49ec27cccede4e863ed3d6c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d16b3b1-1892-4762-915d-83beb45f39fc.vbs
Filesize
484B

MD5
e508db2959fabd0723defd03973177be

SHA1
6d4ef937d9aef1ab79f9496689569b2490a89925

SHA256
8d3f44d676509b8330acdbebfc9dc4637503d543ee57465693bbd67358b68f67

SHA512
0ce6e39d22581c91b789fe84efa8c74335b783c2712a70668ed52056f051790a35953803444da28efa04d2d7ab1ae18f904497097b9c23f7449b0d2d8c591414

Download Submit
memory/420-192-0x0000000000000000-mapping.dmp

Download
memory/1256-193-0x0000000000000000-mapping.dmp

Download
memory/2168-166-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2168-190-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2168-148-0x0000000000000000-mapping.dmp

Download
memory/2764-167-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2764-156-0x0000000000000000-mapping.dmp

Download
memory/2764-161-0x00000000008C0000-0x0000000000BA6000-memory.dmp

Filesize
2.9MB

Download
memory/2896-144-0x0000000000000000-mapping.dmp

Download
memory/2896-191-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2896-163-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2992-180-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2992-146-0x0000000000000000-mapping.dmp

Download
memory/2992-164-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3256-181-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3256-147-0x0000000000000000-mapping.dmp

Download
memory/3256-165-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3524-138-0x0000000000000000-mapping.dmp

Download
memory/3524-176-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3524-152-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3752-175-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3752-154-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3752-141-0x0000000000000000-mapping.dmp

Download
memory/3956-177-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3956-155-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3956-143-0x0000000000000000-mapping.dmp

Download
memory/4264-142-0x0000000000000000-mapping.dmp

Download
memory/4264-157-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4264-189-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4504-182-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4504-151-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4504-140-0x0000000000000000-mapping.dmp

Download
memory/4724-160-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4724-186-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4724-145-0x0000000000000000-mapping.dmp

Download
memory/4872-133-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4872-134-0x000000001CCD0000-0x000000001CD20000-memory.dmp

Filesize
320KB

Download
memory/4872-136-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4872-132-0x0000000000D90000-0x0000000001076000-memory.dmp

Filesize
2.9MB

Download
memory/4872-135-0x000000001D470000-0x000000001D998000-memory.dmp

Filesize
5.2MB

Download
memory/4872-162-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4984-153-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4984-183-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4984-139-0x0000000000000000-mapping.dmp

Download
memory/5080-178-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/5080-137-0x0000000000000000-mapping.dmp

Download
memory/5080-150-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/5080-149-0x00000251E9330000-0x00000251E9352000-memory.dmp

Filesize
136KB

Download