dcrat | 915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

limalt.exe
Size

2.0MB
MD5

8468c0223b7665174d19866d33ae9731
SHA1

b261b25063f61b7194310d62912596df732ebbb7
SHA256

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83
SHA512

77397cc18ba208256e9fc4ebd182a197f6fc2f71e17ae737b0ab3bfa8c09d3da6a3ae30076a1bfaea9bd4889402f5e897f3b751cf86e8e12fd59f85f48613eb6
SSDEEP

49152:ubA3j3+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:ubdTHUxUoh1IF9gl2x

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4852	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral1/memory/4800-139-0x0000000000970000-0x0000000000B30000-memory.dmp	dcrat
C:\odt\OfficeClickToRun.exe	dcrat
behavioral1/memory/836-175-0x0000000000BD0000-0x0000000000D90000-memory.dmp	dcrat
C:\odt\OfficeClickToRun.exe	dcrat
C:\odt\OfficeClickToRun.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\e05ac981ecba1d1176b05dd3ef167f1029c63dfd.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SurrogateDll.exe
Executes dropped EXE 3 IoCs

Processes:

SurrogateDll.exeOfficeClickToRun.exeOfficeClickToRun.exe

pid process

4800 SurrogateDll.exe
836 OfficeClickToRun.exe
2376 OfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SurrogateDll.exeOfficeClickToRun.exeOfficeClickToRun.exelimalt.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	limalt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 20 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX307B.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX2FDE.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX330D.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX362C.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX3F88.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX4025.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24	SurrogateDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX33AA.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	SurrogateDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\66fc9ff0ee96c2	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX36B9.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4700	schtasks.exe
1352	schtasks.exe
3564	schtasks.exe
392	schtasks.exe
656	schtasks.exe
316	schtasks.exe
4740	schtasks.exe
1456	schtasks.exe
4984	schtasks.exe
2064	schtasks.exe
4648	schtasks.exe
1016	schtasks.exe
3424	schtasks.exe
384	schtasks.exe
1268	schtasks.exe
4288	schtasks.exe
3688	schtasks.exe
4608	schtasks.exe
4500	schtasks.exe
4564	schtasks.exe
4532	schtasks.exe
4724	schtasks.exe
3480	schtasks.exe
2240	schtasks.exe
5012	schtasks.exe
1708	schtasks.exe
4548	schtasks.exe
208	schtasks.exe
628	schtasks.exe
364	schtasks.exe
220	schtasks.exe
4708	schtasks.exe
3096	schtasks.exe
4976	schtasks.exe
400	schtasks.exe
5032	schtasks.exe
228	schtasks.exe
2512	schtasks.exe
3616	schtasks.exe
3168	schtasks.exe
4948	schtasks.exe
5024	schtasks.exe
1192	schtasks.exe
3264	schtasks.exe
1440	schtasks.exe

Modifies registry class 4 IoCs

Processes:

limalt.exeSurrogateDll.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	limalt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exe

pid	process
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe
4800	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	pid	process
Token: SeDebugPrivilege	4800	SurrogateDll.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	836	OfficeClickToRun.exe
Token: SeDebugPrivilege	2376	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

limalt.exeWScript.execmd.exeSurrogateDll.exeOfficeClickToRun.exeWScript.exeOfficeClickToRun.exe

description	pid	process	target process
PID 2304 wrote to memory of 2408	2304	limalt.exe	WScript.exe
PID 2304 wrote to memory of 2408	2304	limalt.exe	WScript.exe
PID 2304 wrote to memory of 2408	2304	limalt.exe	WScript.exe
PID 2408 wrote to memory of 3272	2408	WScript.exe	cmd.exe
PID 2408 wrote to memory of 3272	2408	WScript.exe	cmd.exe
PID 2408 wrote to memory of 3272	2408	WScript.exe	cmd.exe
PID 3272 wrote to memory of 4800	3272	cmd.exe	SurrogateDll.exe
PID 3272 wrote to memory of 4800	3272	cmd.exe	SurrogateDll.exe
PID 4800 wrote to memory of 4872	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4872	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4680	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4680	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 460	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 460	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 396	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 396	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4056	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4056	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 2540	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 2540	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 3384	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 3384	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4060	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4060	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 2164	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 2164	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 3792	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 3792	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 1300	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 1300	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 1476	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 1476	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4492	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 4492	4800	SurrogateDll.exe	powershell.exe
PID 4800 wrote to memory of 836	4800	SurrogateDll.exe	OfficeClickToRun.exe
PID 4800 wrote to memory of 836	4800	SurrogateDll.exe	OfficeClickToRun.exe
PID 836 wrote to memory of 3752	836	OfficeClickToRun.exe	WScript.exe
PID 836 wrote to memory of 3752	836	OfficeClickToRun.exe	WScript.exe
PID 836 wrote to memory of 2176	836	OfficeClickToRun.exe	WScript.exe
PID 836 wrote to memory of 2176	836	OfficeClickToRun.exe	WScript.exe
PID 3752 wrote to memory of 2376	3752	WScript.exe	OfficeClickToRun.exe
PID 3752 wrote to memory of 2376	3752	WScript.exe	OfficeClickToRun.exe
PID 2376 wrote to memory of 4956	2376	OfficeClickToRun.exe	WScript.exe
PID 2376 wrote to memory of 4956	2376	OfficeClickToRun.exe	WScript.exe
PID 2376 wrote to memory of 4708	2376	OfficeClickToRun.exe	WScript.exe
PID 2376 wrote to memory of 4708	2376	OfficeClickToRun.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\limalt.exe
"C:\Users\Admin\AppData\Local\Temp\limalt.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9827caf8-d0b8-47c6-bec0-0808f3afb35d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\odt\OfficeClickToRun.exe
        
        C:\odt\OfficeClickToRun.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e5b3c3a-ae6f-4f9e-8311-b05e1a727184.vbs"
        8⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab553047-a425-4cc0-bf7b-54b12293e794.vbs"
        8⤵
        
        PID:4708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71d248b-c15c-4490-8b37-e59d7ec25fc5.vbs"
        6⤵
        
        PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\agentBrowsersavesRefBroker\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\agentBrowsersavesRefBroker\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\agentBrowsersavesRefBroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e5b3c3a-ae6f-4f9e-8311-b05e1a727184.vbs

Filesize
703B

MD5
3d4ae323167edb1156269ae11878a60a

SHA1
afbb389fefaf922da20a53730d281fe1e508b4ba

SHA256
6767081b54d7ed80fb9ed51a3e8c73bac74fe32918bc866343f91e95880dd6ee

SHA512
8ff6e927aa1c88cabe26c9e26b3f42064397c5600c6c796eabeff22c218ed8747cafa22b0ab9c2896bca9376b1787a74ea4a27ec47ff075f7833ba15411ebb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\9827caf8-d0b8-47c6-bec0-0808f3afb35d.vbs

Filesize
702B

MD5
978c835daae618e4073faadcb88f22c0

SHA1
c72e75c37479e3c7293dc8cd58ae97d4e9a7e838

SHA256
9ea70d1de8429595dd9dd29e283d4b4f9ce0e1bed58d2b175e5edb7bcd445aa7

SHA512
4f90522feeeab7c8187a39810532c0fa5472d830ea834ed17146229a7e6633b60a93883641ae35c6d51620264320d4cebb68bdcd71182a32fcc0c4d4fe9cd1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab553047-a425-4cc0-bf7b-54b12293e794.vbs

Filesize
479B

MD5
c84b9e85eff3069ae83dfffbc31e09f9

SHA1
420dd76c397c7708aa89bf01f1b38d4a6ce687fd

SHA256
3a541daf4c8279e1d6000a62f6abd9072593d2f56e810564225a260ac63beaa9

SHA512
0a041175f623f3f87f6d919b957593ec2ab0d292e8ef3e5d4e1f42f18024c71c290bbde4eef27c09d36e51b4020a4b55f5729938db4e51b1706484099a1360d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c71d248b-c15c-4490-8b37-e59d7ec25fc5.vbs

Filesize
479B

MD5
c84b9e85eff3069ae83dfffbc31e09f9

SHA1
420dd76c397c7708aa89bf01f1b38d4a6ce687fd

SHA256
3a541daf4c8279e1d6000a62f6abd9072593d2f56e810564225a260ac63beaa9

SHA512
0a041175f623f3f87f6d919b957593ec2ab0d292e8ef3e5d4e1f42f18024c71c290bbde4eef27c09d36e51b4020a4b55f5729938db4e51b1706484099a1360d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e05ac981ecba1d1176b05dd3ef167f1029c63dfd.exe

Filesize
1.7MB

MD5
3432f5d6c2e2fd06e2b95562df13334c

SHA1
6bf5eae49633e476915dc0f95b7471eef4f8a811

SHA256
6bf83caa703cb7fafbaba25a8b6dc9b742ccb8ec9fe5c8e8a33aaa4fcdcbb498

SHA512
02ddf4952d4ba09afa3b29ee2fee3dddcee0fcdb606f758d5dac84630539822ddb642a7508c215a657a565a914c69e8067b845a7af0f33b688a56e22373b07e8

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe

Filesize
223B

MD5
9403175bdfbadf333200b08d0f9a97e4

SHA1
c3383de367a292b0b2d12659468b7aa53985171d

SHA256
3185c369451bdae7ed017894d541c6957d5b583b4a31a8efd288cfe4ff457f87

SHA512
65ca9bdc7f0c2d9ddae0c2f6253386587f5e41fd0a1353a11c43c7352d6b218ad3b87160b536839f10bd2a6cd78d89053e77e3686284a5e66d7dd3ffd2176002

Download Submit
C:\odt\OfficeClickToRun.exe

Filesize
1.7MB

MD5
3432f5d6c2e2fd06e2b95562df13334c

SHA1
6bf5eae49633e476915dc0f95b7471eef4f8a811

SHA256
6bf83caa703cb7fafbaba25a8b6dc9b742ccb8ec9fe5c8e8a33aaa4fcdcbb498

SHA512
02ddf4952d4ba09afa3b29ee2fee3dddcee0fcdb606f758d5dac84630539822ddb642a7508c215a657a565a914c69e8067b845a7af0f33b688a56e22373b07e8

Download Submit
C:\odt\OfficeClickToRun.exe

Filesize
1.7MB

MD5
3432f5d6c2e2fd06e2b95562df13334c

SHA1
6bf5eae49633e476915dc0f95b7471eef4f8a811

SHA256
6bf83caa703cb7fafbaba25a8b6dc9b742ccb8ec9fe5c8e8a33aaa4fcdcbb498

SHA512
02ddf4952d4ba09afa3b29ee2fee3dddcee0fcdb606f758d5dac84630539822ddb642a7508c215a657a565a914c69e8067b845a7af0f33b688a56e22373b07e8

Download Submit
C:\odt\OfficeClickToRun.exe

Filesize
1.7MB

MD5
3432f5d6c2e2fd06e2b95562df13334c

SHA1
6bf5eae49633e476915dc0f95b7471eef4f8a811

SHA256
6bf83caa703cb7fafbaba25a8b6dc9b742ccb8ec9fe5c8e8a33aaa4fcdcbb498

SHA512
02ddf4952d4ba09afa3b29ee2fee3dddcee0fcdb606f758d5dac84630539822ddb642a7508c215a657a565a914c69e8067b845a7af0f33b688a56e22373b07e8

Download Submit
memory/396-191-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/396-151-0x0000000000000000-mapping.dmp

Download
memory/396-165-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/460-192-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/460-164-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/460-150-0x0000000000000000-mapping.dmp

Download
memory/836-213-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/836-183-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/836-221-0x000000001E1F0000-0x000000001E1F4000-memory.dmp

Filesize
16KB

Download
memory/836-222-0x000000001E1F4000-0x000000001E1F7000-memory.dmp

Filesize
12KB

Download
memory/836-220-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/836-219-0x00000000013C9000-0x00000000013CF000-memory.dmp

Filesize
24KB

Download
memory/836-218-0x000000001E1F4000-0x000000001E1F7000-memory.dmp

Filesize
12KB

Download
memory/836-217-0x000000001E1F4000-0x000000001E1F7000-memory.dmp

Filesize
12KB

Download
memory/836-216-0x000000001E1F0000-0x000000001E1F4000-memory.dmp

Filesize
16KB

Download
memory/836-171-0x0000000000000000-mapping.dmp

Download
memory/836-215-0x00000000013C9000-0x00000000013CF000-memory.dmp

Filesize
24KB

Download
memory/836-214-0x000000001E1F0000-0x000000001E1F4000-memory.dmp

Filesize
16KB

Download
memory/836-175-0x0000000000BD0000-0x0000000000D90000-memory.dmp

Filesize
1.8MB

Download
memory/836-199-0x00000000013C9000-0x00000000013CF000-memory.dmp

Filesize
24KB

Download
memory/1300-181-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/1300-158-0x0000000000000000-mapping.dmp

Download
memory/1300-208-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/1476-159-0x0000000000000000-mapping.dmp

Download
memory/1476-205-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/1476-174-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2164-180-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2164-203-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2164-156-0x0000000000000000-mapping.dmp

Download
memory/2176-210-0x0000000000000000-mapping.dmp

Download
memory/2376-238-0x000000001DA50000-0x000000001DA54000-memory.dmp

Filesize
16KB

Download
memory/2376-226-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2376-234-0x000000001DA50000-0x000000001DA54000-memory.dmp

Filesize
16KB

Download
memory/2376-233-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2376-223-0x0000000000000000-mapping.dmp

Download
memory/2376-241-0x000000001DA55000-0x000000001DA59000-memory.dmp

Filesize
16KB

Download
memory/2376-232-0x000000001AFB9000-0x000000001AFBF000-memory.dmp

Filesize
24KB

Download
memory/2376-240-0x000000001AFBA000-0x000000001AFBE000-memory.dmp

Filesize
16KB

Download
memory/2376-237-0x000000001DA57000-0x000000001DA5A000-memory.dmp

Filesize
12KB

Download
memory/2376-235-0x000000001DA54000-0x000000001DA57000-memory.dmp

Filesize
12KB

Download
memory/2376-239-0x000000001DA54000-0x000000001DA57000-memory.dmp

Filesize
12KB

Download
memory/2376-236-0x000000001AFB9000-0x000000001AFBF000-memory.dmp

Filesize
24KB

Download
memory/2408-132-0x0000000000000000-mapping.dmp

Download
memory/2540-153-0x0000000000000000-mapping.dmp

Download
memory/2540-166-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/2540-197-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3272-135-0x0000000000000000-mapping.dmp

Download
memory/3384-201-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3384-169-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3384-154-0x0000000000000000-mapping.dmp

Download
memory/3752-209-0x0000000000000000-mapping.dmp

Download
memory/3792-207-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3792-170-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3792-157-0x0000000000000000-mapping.dmp

Download
memory/4056-194-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4056-167-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4056-152-0x0000000000000000-mapping.dmp

Download
memory/4060-168-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4060-193-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4060-155-0x0000000000000000-mapping.dmp

Download
memory/4492-206-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4492-160-0x0000000000000000-mapping.dmp

Download
memory/4492-182-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4680-195-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4680-149-0x0000000000000000-mapping.dmp

Download
memory/4680-163-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4708-230-0x0000000000000000-mapping.dmp

Download
memory/4800-144-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4800-177-0x0000000002B99000-0x0000000002B9F000-memory.dmp

Filesize
24KB

Download
memory/4800-140-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4800-178-0x000000001DFF0000-0x000000001DFF4000-memory.dmp

Filesize
16KB

Download
memory/4800-179-0x000000001DFF4000-0x000000001DFF7000-memory.dmp

Filesize
12KB

Download
memory/4800-139-0x0000000000970000-0x0000000000B30000-memory.dmp

Filesize
1.8MB

Download
memory/4800-136-0x0000000000000000-mapping.dmp

Download
memory/4800-142-0x000000001D3C0000-0x000000001D8E8000-memory.dmp

Filesize
5.2MB

Download
memory/4800-143-0x0000000002B99000-0x0000000002B9F000-memory.dmp

Filesize
24KB

Download
memory/4800-141-0x000000001CE40000-0x000000001CE90000-memory.dmp

Filesize
320KB

Download
memory/4800-145-0x000000001DFF0000-0x000000001DFF4000-memory.dmp

Filesize
16KB

Download
memory/4800-146-0x000000001DFF4000-0x000000001DFF7000-memory.dmp

Filesize
12KB

Download
memory/4800-147-0x0000000002B99000-0x0000000002B9F000-memory.dmp

Filesize
24KB

Download
memory/4800-176-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4872-190-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4872-148-0x0000000000000000-mapping.dmp

Download
memory/4872-162-0x00000224F9150000-0x00000224F9172000-memory.dmp

Filesize
136KB

Download
memory/4872-161-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/4956-227-0x0000000000000000-mapping.dmp

Download