dcrat | a81fc84f16fd6501f5fcfe6e031fd4ac73d93e48a076aca3f96f1146df8d906f

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4994207972e792f8112c891760ce5523.exe
Size

1.7MB
MD5

4994207972e792f8112c891760ce5523
SHA1

bebd2f10abb04fb39d33eead4ab01ac0c98c38c3
SHA256

a81fc84f16fd6501f5fcfe6e031fd4ac73d93e48a076aca3f96f1146df8d906f
SHA512

4f6bec3e98c870548f09905382192e5445c0aef85a5986889bade11592493bbc061bae6329612d8969b28cee25c2a7e0ba032fb4172746786cf315082d871de1
SSDEEP

24576:U2G/nvxW3Ww0ted5uhXpZw1OtBN/8ibAs9ALpW7q7e2k96SQsa+JFu2sIz4xP:UbA30ed5o/LABVS+YcR

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5144	schtasks.exe
		5904	schtasks.exe
		5484	schtasks.exe
		6052	schtasks.exe
		2632	schtasks.exe
		2060	schtasks.exe
		3760	schtasks.exe
		3852	schtasks.exe
		6024	schtasks.exe
		5024	schtasks.exe
		3784	schtasks.exe
		3384	schtasks.exe
		3748	schtasks.exe
		3784	schtasks.exe
		3960	schtasks.exe
		2632	schtasks.exe
		4736	schtasks.exe
		5960	schtasks.exe
		392	schtasks.exe
		908	schtasks.exe
		3712	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0		hyperintodhcp.exe
		956	schtasks.exe
		1472	schtasks.exe
		4936	schtasks.exe
		3492	schtasks.exe
		4028	schtasks.exe
		4744	schtasks.exe
		2060	schtasks.exe
		4116	schtasks.exe
		404	schtasks.exe
		624	schtasks.exe
		2668	schtasks.exe
		5680	schtasks.exe
		3948	schtasks.exe
		4388	schtasks.exe
		3996	schtasks.exe
		3936	schtasks.exe
		3724	schtasks.exe
		6132	schtasks.exe
		3540	schtasks.exe
		5092	schtasks.exe
		2548	schtasks.exe
		348	schtasks.exe
		6084	schtasks.exe
		5368	schtasks.exe
		2104	schtasks.exe
		2212	schtasks.exe
		728	schtasks.exe
		380	schtasks.exe
		5600	schtasks.exe
		2700	schtasks.exe
		4352	schtasks.exe
File created	C:\Windows\Resources\Themes\aero\en-US\7a0fd90576e088		hyperintodhcp.exe
		4296	schtasks.exe
		5172	schtasks.exe
		2316	schtasks.exe
		3872	schtasks.exe
		3552	schtasks.exe
		1436	schtasks.exe
		4000	schtasks.exe
		3096	schtasks.exe
		6120	schtasks.exe
		4196	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5960	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	2876	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2876	schtasks.exe	69

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023150-143.dat	dcrat
behavioral2/files/0x0006000000023150-144.dat	dcrat
behavioral2/memory/1460-145-0x0000000000030000-0x0000000000194000-memory.dmp	dcrat
behavioral2/files/0x0006000000023164-150.dat	dcrat
behavioral2/files/0x0006000000023150-349.dat	dcrat
behavioral2/files/0x00060000000231ff-571.dat	dcrat
behavioral2/files/0x00060000000231ff-572.dat	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	4994207972e792f8112c891760ce5523.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	hyperintodhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	hyperintodhcp.exe

Executes dropped EXE 3 IoCs

pid	Process
1460	hyperintodhcp.exe
2164	hyperintodhcp.exe
5600	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ipinfo.io
67	ipinfo.io

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	hyperintodhcp.exe
File created	C:\Program Files (x86)\Windows Media Player\dllhost.exe	hyperintodhcp.exe
File created	C:\Program Files (x86)\Windows Media Player\5940a34987c991	hyperintodhcp.exe
File created	C:\Program Files (x86)\Google\f3b6ecef712a24	hyperintodhcp.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\SppExtComObj.exe	hyperintodhcp.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\e1ef82546f0b02	hyperintodhcp.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	hyperintodhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe	hyperintodhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1	hyperintodhcp.exe
File created	C:\Program Files (x86)\Google\spoolsv.exe	hyperintodhcp.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\hyperintodhcp.exe	hyperintodhcp.exe
File created	C:\Windows\Setup\State\29c1c3cc0f7685	hyperintodhcp.exe
File created	C:\Windows\Registration\backgroundTaskHost.exe	hyperintodhcp.exe
File created	C:\Windows\Registration\eddb19405b7ce1	hyperintodhcp.exe
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	hyperintodhcp.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	hyperintodhcp.exe
File created	C:\Windows\Resources\Themes\aero\en-US\explorer.exe	hyperintodhcp.exe
File created	C:\Windows\Resources\Themes\aero\en-US\7a0fd90576e088	hyperintodhcp.exe
File created	C:\Windows\GameBarPresenceWriter\cabb7a3b321d4b	hyperintodhcp.exe
File created	C:\Windows\Setup\State\unsecapp.exe	hyperintodhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3960	schtasks.exe
2060	schtasks.exe
2700	schtasks.exe
3384	schtasks.exe
5232	schtasks.exe
2668	schtasks.exe
3872	schtasks.exe
5600	schtasks.exe
4116	schtasks.exe
1932	schtasks.exe
4000	schtasks.exe
404	schtasks.exe
2060	schtasks.exe
4296	schtasks.exe
5172	schtasks.exe
636	schtasks.exe
6132	schtasks.exe
3176	schtasks.exe
624	schtasks.exe
3948	schtasks.exe
2632	schtasks.exe
6120	schtasks.exe
6024	schtasks.exe
3948	schtasks.exe
5024	schtasks.exe
5852	schtasks.exe
956	schtasks.exe
5092	schtasks.exe
4476	schtasks.exe
1568	schtasks.exe
3096	schtasks.exe
4884	schtasks.exe
5680	schtasks.exe
5128	schtasks.exe
5352	schtasks.exe
3724	schtasks.exe
380	schtasks.exe
3492	schtasks.exe
5160	schtasks.exe
908	schtasks.exe
4720	schtasks.exe
2104	schtasks.exe
3760	schtasks.exe
5484	schtasks.exe
3784	schtasks.exe
5368	schtasks.exe
4456	schtasks.exe
5004	schtasks.exe
3996	schtasks.exe
6128	schtasks.exe
3372	schtasks.exe
5328	schtasks.exe
3540	schtasks.exe
4936	schtasks.exe
4736	schtasks.exe
3936	schtasks.exe
348	schtasks.exe
4896	schtasks.exe
6140	schtasks.exe
548	schtasks.exe
728	schtasks.exe
2212	schtasks.exe
3748	schtasks.exe
4028	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	4994207972e792f8112c891760ce5523.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	hyperintodhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	hyperintodhcp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1460	hyperintodhcp.exe
1476	powershell.exe
1476	powershell.exe
1516	powershell.exe
1516	powershell.exe
3976	powershell.exe
3976	powershell.exe
1784	powershell.exe
1784	powershell.exe
3872	schtasks.exe
3872	schtasks.exe
4352	powershell.exe
4352	powershell.exe
2996	powershell.exe
2996	powershell.exe
1068	powershell.exe
1068	powershell.exe
3972	powershell.exe
3972	powershell.exe
3544	powershell.exe
3544	powershell.exe
4672	powershell.exe
4672	powershell.exe
3932	powershell.exe
3932	powershell.exe
3376	powershell.exe
3376	powershell.exe
3932	powershell.exe
1476	powershell.exe
1516	powershell.exe
3872	schtasks.exe
3544	powershell.exe
1068	powershell.exe
1784	powershell.exe
2996	powershell.exe
3972	powershell.exe
3976	powershell.exe
4352	schtasks.exe
3376	powershell.exe
4672	powershell.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe
2164	hyperintodhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5600	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	hyperintodhcp.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3872	schtasks.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2164	hyperintodhcp.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	5204	powershell.exe
Token: SeDebugPrivilege	5792	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	5600	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3868	800	4994207972e792f8112c891760ce5523.exe	89
PID 800 wrote to memory of 3868	800	4994207972e792f8112c891760ce5523.exe	89
PID 800 wrote to memory of 3868	800	4994207972e792f8112c891760ce5523.exe	89
PID 3868 wrote to memory of 2260	3868	WScript.exe	93
PID 3868 wrote to memory of 2260	3868	WScript.exe	93
PID 3868 wrote to memory of 2260	3868	WScript.exe	93
PID 2260 wrote to memory of 1460	2260	cmd.exe	95
PID 2260 wrote to memory of 1460	2260	cmd.exe	95
PID 1460 wrote to memory of 1516	1460	hyperintodhcp.exe	131
PID 1460 wrote to memory of 1516	1460	hyperintodhcp.exe	131
PID 1460 wrote to memory of 3976	1460	hyperintodhcp.exe	132
PID 1460 wrote to memory of 3976	1460	hyperintodhcp.exe	132
PID 1460 wrote to memory of 3872	1460	hyperintodhcp.exe	158
PID 1460 wrote to memory of 3872	1460	hyperintodhcp.exe	158
PID 1460 wrote to memory of 1476	1460	hyperintodhcp.exe	157
PID 1460 wrote to memory of 1476	1460	hyperintodhcp.exe	157
PID 1460 wrote to memory of 3972	1460	hyperintodhcp.exe	156
PID 1460 wrote to memory of 3972	1460	hyperintodhcp.exe	156
PID 1460 wrote to memory of 4352	1460	hyperintodhcp.exe	154
PID 1460 wrote to memory of 4352	1460	hyperintodhcp.exe	154
PID 1460 wrote to memory of 2996	1460	hyperintodhcp.exe	153
PID 1460 wrote to memory of 2996	1460	hyperintodhcp.exe	153
PID 1460 wrote to memory of 1068	1460	hyperintodhcp.exe	152
PID 1460 wrote to memory of 1068	1460	hyperintodhcp.exe	152
PID 1460 wrote to memory of 4672	1460	hyperintodhcp.exe	151
PID 1460 wrote to memory of 4672	1460	hyperintodhcp.exe	151
PID 1460 wrote to memory of 3932	1460	hyperintodhcp.exe	147
PID 1460 wrote to memory of 3932	1460	hyperintodhcp.exe	147
PID 1460 wrote to memory of 3544	1460	hyperintodhcp.exe	145
PID 1460 wrote to memory of 3544	1460	hyperintodhcp.exe	145
PID 1460 wrote to memory of 3376	1460	hyperintodhcp.exe	144
PID 1460 wrote to memory of 3376	1460	hyperintodhcp.exe	144
PID 1460 wrote to memory of 1784	1460	hyperintodhcp.exe	143
PID 1460 wrote to memory of 1784	1460	hyperintodhcp.exe	143
PID 1460 wrote to memory of 3748	1460	hyperintodhcp.exe	146
PID 1460 wrote to memory of 3748	1460	hyperintodhcp.exe	146
PID 3748 wrote to memory of 5936	3748	cmd.exe	160
PID 3748 wrote to memory of 5936	3748	cmd.exe	160
PID 3748 wrote to memory of 2164	3748	cmd.exe	166
PID 3748 wrote to memory of 2164	3748	cmd.exe	166
PID 2164 wrote to memory of 5264	2164	hyperintodhcp.exe	224
PID 2164 wrote to memory of 5264	2164	hyperintodhcp.exe	224
PID 2164 wrote to memory of 1508	2164	hyperintodhcp.exe	225
PID 2164 wrote to memory of 1508	2164	hyperintodhcp.exe	225
PID 2164 wrote to memory of 4192	2164	hyperintodhcp.exe	226
PID 2164 wrote to memory of 4192	2164	hyperintodhcp.exe	226
PID 2164 wrote to memory of 3564	2164	hyperintodhcp.exe	251
PID 2164 wrote to memory of 3564	2164	hyperintodhcp.exe	251
PID 2164 wrote to memory of 3776	2164	hyperintodhcp.exe	250
PID 2164 wrote to memory of 3776	2164	hyperintodhcp.exe	250
PID 2164 wrote to memory of 5324	2164	hyperintodhcp.exe	249
PID 2164 wrote to memory of 5324	2164	hyperintodhcp.exe	249
PID 2164 wrote to memory of 6056	2164	hyperintodhcp.exe	247
PID 2164 wrote to memory of 6056	2164	hyperintodhcp.exe	247
PID 2164 wrote to memory of 2204	2164	hyperintodhcp.exe	227
PID 2164 wrote to memory of 2204	2164	hyperintodhcp.exe	227
PID 2164 wrote to memory of 1952	2164	hyperintodhcp.exe	245
PID 2164 wrote to memory of 1952	2164	hyperintodhcp.exe	245
PID 2164 wrote to memory of 5792	2164	hyperintodhcp.exe	241
PID 2164 wrote to memory of 5792	2164	hyperintodhcp.exe	241
PID 2164 wrote to memory of 5204	2164	hyperintodhcp.exe	239
PID 2164 wrote to memory of 5204	2164	hyperintodhcp.exe	239
PID 2164 wrote to memory of 6108	2164	hyperintodhcp.exe	238
PID 2164 wrote to memory of 6108	2164	hyperintodhcp.exe	238

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4994207972e792f8112c891760ce5523.exe
"C:\Users\Admin\AppData\Local\Temp\4994207972e792f8112c891760ce5523.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainComsessiondhcpSvc\EUUBgivSd08oacviC1.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainComsessiondhcpSvc\4ry84STFOAKpX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\chainComsessiondhcpSvc\hyperintodhcp.exe
      "C:\chainComsessiondhcpSvc\hyperintodhcp.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xIaz7iCk6P.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5936
      - C:\chainComsessiondhcpSvc\hyperintodhcp.exe
        
        "C:\chainComsessiondhcpSvc\hyperintodhcp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/chainComsessiondhcpSvc/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\buMuhMWd9v.bat"
        7⤵
        
        PID:3856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4844
        
        C:\Program Files (x86)\Google\spoolsv.exe
        
        "C:\Program Files (x86)\Google\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/chainComsessiondhcpSvc/'
        5⤵
        
        PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Setup\State\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\chainComsessiondhcpSvc\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\chainComsessiondhcpSvc\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\chainComsessiondhcpSvc\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\chainComsessiondhcpSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\aero\en-US\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\aero\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\chainComsessiondhcpSvc\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\chainComsessiondhcpSvc\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcph" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\hyperintodhcp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\hyperintodhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcph" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\hyperintodhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\.oracle_jre_usage\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\.oracle_jre_usage\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\.oracle_jre_usage\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcph" /sc MINUTE /mo 5 /tr "'C:\Windows\GameBarPresenceWriter\hyperintodhcp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\hyperintodhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperintodhcph" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\hyperintodhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\odt\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\chainComsessiondhcpSvc\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\chainComsessiondhcpSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\chainComsessiondhcpSvc\sppsvc.exe'" /f
1⤵
- DcRat
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\chainComsessiondhcpSvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\chainComsessiondhcpSvc\lsass.exe'" /f
1⤵
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\chainComsessiondhcpSvc\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\chainComsessiondhcpSvc\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- DcRat
PID:6084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /f
1⤵
- DcRat
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\spoolsv.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
C:\Program Files (x86)\Google\spoolsv.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperintodhcp.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0517d7daa86e87ab93c37adcb931f498

SHA1
6b243308a84f033c4943c7f63c0f824d8db31a13

SHA256
3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

SHA512
a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0517d7daa86e87ab93c37adcb931f498

SHA1
6b243308a84f033c4943c7f63c0f824d8db31a13

SHA256
3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

SHA512
a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1502b93590fa2098310cf111ddec779d

SHA1
174778f5582b928a6fc2adedeef655242b57d302

SHA256
b49f686d203941e2f0cbc97000c74843157be41e06811bf8eab2d4f7b4788d5e

SHA512
e82b85af51a98adbeaff726650daf56b418940d98a67c44cf38f6b74610a6800e7d203cb0aa8427c2c1e0373fcd38478147f6cc1033e0ab0ae9fbb0f69ad92fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1502b93590fa2098310cf111ddec779d

SHA1
174778f5582b928a6fc2adedeef655242b57d302

SHA256
b49f686d203941e2f0cbc97000c74843157be41e06811bf8eab2d4f7b4788d5e

SHA512
e82b85af51a98adbeaff726650daf56b418940d98a67c44cf38f6b74610a6800e7d203cb0aa8427c2c1e0373fcd38478147f6cc1033e0ab0ae9fbb0f69ad92fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a672fcf7facce635c83caf7b195d0bf8

SHA1
fec2f6c2456efe713ba08fa692a4a356f2f37ba8

SHA256
71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

SHA512
12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a672fcf7facce635c83caf7b195d0bf8

SHA1
fec2f6c2456efe713ba08fa692a4a356f2f37ba8

SHA256
71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

SHA512
12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d39ea6f9ab2ac89f0eecf4195aa92ab1

SHA1
330eceaf8a8f7f482b8efcdd909dd17fcab58861

SHA256
c43aeb94aa5a3757d5366738541991ed39ff1ad7d5b5f5644dcecd78bdc48398

SHA512
25d06b3688f9454a2b9598c9cc65f49184d743124a5723b43a4278effd95bee192e83ba7be486f5e331692d78d81e58c5cc2720aac56551dc3f90a9e81278222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fd1207fb34732237602c32614f8e7a5

SHA1
3c17778095da518c209e6854340c140cff556a50

SHA256
b89786113f914c4c6c44f0455750d167a760b375dc12c18a52054e71f0d24737

SHA512
54e7f41aa11b147d6734d1b2972c11dd6a4703be366dd9b26dbca14a9392205a4f19545c39db9807751468522c9e761fe7009bebf743e3ef852d7b79429ba482

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hixqxt0p.we0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\buMuhMWd9v.bat

Filesize
206B

MD5
a436da855b18bbd79620cad99d6f6af6

SHA1
f4f80a7d65872d5c5836318e77e98b95e043e612

SHA256
1e305779ad9197fadcc99bd7d813ec643bdfdcea63dd743c4e1cbcb746139d84

SHA512
bc478a51769cdc25c39ee003781f1fab804bbcc3ce22f4dfa2d96768874c028cc71566cd56295c6af6cb1b2efe746820d3abdc01dcb4a5b0b31f564bfb376b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIaz7iCk6P.bat

Filesize
208B

MD5
cf9ac4845fa1bd60eaaee2abf705c090

SHA1
8473bafb167767b5ec0303176760860e43dc5fe2

SHA256
050bca980483f0a7d83f43b8fe9244c6aa415d09cb1c505a11c6a8bfbf2da7bb

SHA512
634cc49e51e16b03b7b9928503269c7c15989e9e7caeb6ba84efd8b53dec099280b341236f4a2ff8cbf176fdf2c5a91fa7bb1093063cc449bcb5a0901c41e13b

Download Submit
C:\chainComsessiondhcpSvc\4ry84STFOAKpX.bat

Filesize
56B

MD5
b8659c9ecf732a2be9c227998217c731

SHA1
3e957688e0b1b5b7897906b3731158be1900869e

SHA256
8c9bde8cb3c1cfe4567c71043809f1444592c69a4950aa7a6e98d3dbc4da66e5

SHA512
abecd1f60595fd20de12a7b47eb4b757caa83802e98782a7914ce8225174581e7baa4981b7d44b80fc3848ca03d3ebc0aae36d9ce1cc2655d1773ecbf0ab199b

Download Submit
C:\chainComsessiondhcpSvc\EUUBgivSd08oacviC1.vbe

Filesize
223B

MD5
10208d9929d6a7f0892c90f283f50b2d

SHA1
91eb90ca4363f9f5bd31752de843b13eeb231f5d

SHA256
9e462cb6bcb1efa805f2a4829b1a86694537725376f435e5904cb864327eb803

SHA512
d44333bd6061a79c23010c9e8c35d7485a3fac75c804379ca4bd0c9b998f8be5df307bd07ee1ef47519bb2836587daf747dd71f9e0c1e870e3b5a27f1de22b15

Download Submit
C:\chainComsessiondhcpSvc\hyperintodhcp.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
C:\chainComsessiondhcpSvc\hyperintodhcp.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
C:\chainComsessiondhcpSvc\hyperintodhcp.exe

Filesize
1.4MB

MD5
aeb52352bf15ecf8075968733e898e80

SHA1
25cb961dc24c875739c8429ed831199da1ffe274

SHA256
3aa402e9ddaa5239114ad7ea1339b6f979168feb6789e68d71586b2193f99c52

SHA512
680e979ffe85ad4d680caf98376e6b52cfe56f65f7ec065134406a6333af562b2d0fffaacc1494019cc934131db06ebc285844d6e5053f6061133d14417852d6

Download Submit
memory/1068-321-0x00000148A80E0000-0x00000148A80F0000-memory.dmp

Filesize
64KB

Download
memory/1068-179-0x00000148A80E0000-0x00000148A80F0000-memory.dmp

Filesize
64KB

Download
memory/1068-313-0x00000148A80E0000-0x00000148A80F0000-memory.dmp

Filesize
64KB

Download
memory/1460-145-0x0000000000030000-0x0000000000194000-memory.dmp

Filesize
1.4MB

Download
memory/1460-146-0x00000000022B0000-0x0000000002300000-memory.dmp

Filesize
320KB

Download
memory/1460-148-0x000000001C5F0000-0x000000001C600000-memory.dmp

Filesize
64KB

Download
memory/1476-317-0x0000017FFC4C0000-0x0000017FFC4D0000-memory.dmp

Filesize
64KB

Download
memory/1476-178-0x0000017FFC4C0000-0x0000017FFC4D0000-memory.dmp

Filesize
64KB

Download
memory/1476-311-0x0000017FFC4C0000-0x0000017FFC4D0000-memory.dmp

Filesize
64KB

Download
memory/1508-533-0x0000014022BC0000-0x0000014022BD0000-memory.dmp

Filesize
64KB

Download
memory/1508-473-0x0000014022BC0000-0x0000014022BD0000-memory.dmp

Filesize
64KB

Download
memory/1508-488-0x0000014022BC0000-0x0000014022BD0000-memory.dmp

Filesize
64KB

Download
memory/1516-176-0x000001F661DD0000-0x000001F661DE0000-memory.dmp

Filesize
64KB

Download
memory/1516-175-0x000001F661DD0000-0x000001F661DE0000-memory.dmp

Filesize
64KB

Download
memory/1516-191-0x000001F661E10000-0x000001F661E32000-memory.dmp

Filesize
136KB

Download
memory/1784-254-0x0000020658F60000-0x0000020658F70000-memory.dmp

Filesize
64KB

Download
memory/1952-523-0x000001D7A68A0000-0x000001D7A68B0000-memory.dmp

Filesize
64KB

Download
memory/1952-536-0x000001D7A68A0000-0x000001D7A68B0000-memory.dmp

Filesize
64KB

Download
memory/1952-524-0x000001D7A68A0000-0x000001D7A68B0000-memory.dmp

Filesize
64KB

Download
memory/2164-355-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/2204-519-0x000002014B170000-0x000002014B180000-memory.dmp

Filesize
64KB

Download
memory/2204-541-0x000002014B170000-0x000002014B180000-memory.dmp

Filesize
64KB

Download
memory/2204-508-0x000002014B170000-0x000002014B180000-memory.dmp

Filesize
64KB

Download
memory/2996-314-0x000001F009870000-0x000001F009880000-memory.dmp

Filesize
64KB

Download
memory/2996-235-0x000001F009870000-0x000001F009880000-memory.dmp

Filesize
64KB

Download
memory/2996-221-0x000001F009870000-0x000001F009880000-memory.dmp

Filesize
64KB

Download
memory/3376-298-0x000001AEFD2D0000-0x000001AEFD2E0000-memory.dmp

Filesize
64KB

Download
memory/3456-527-0x000001D24B9A0000-0x000001D24B9B0000-memory.dmp

Filesize
64KB

Download
memory/3456-526-0x000001D24B9A0000-0x000001D24B9B0000-memory.dmp

Filesize
64KB

Download
memory/3544-312-0x0000024ED2E10000-0x0000024ED2E20000-memory.dmp

Filesize
64KB

Download
memory/3544-320-0x0000024ED2E10000-0x0000024ED2E20000-memory.dmp

Filesize
64KB

Download
memory/3564-530-0x000002024CFB0000-0x000002024CFC0000-memory.dmp

Filesize
64KB

Download
memory/3776-531-0x000002B542A20000-0x000002B542A30000-memory.dmp

Filesize
64KB

Download
memory/3776-539-0x000002B542A20000-0x000002B542A30000-memory.dmp

Filesize
64KB

Download
memory/3776-498-0x000002B542A20000-0x000002B542A30000-memory.dmp

Filesize
64KB

Download
memory/3872-277-0x000001C9C6800000-0x000001C9C6810000-memory.dmp

Filesize
64KB

Download
memory/3872-287-0x000001C9C6800000-0x000001C9C6810000-memory.dmp

Filesize
64KB

Download
memory/3932-310-0x000001CBCEE80000-0x000001CBCEE90000-memory.dmp

Filesize
64KB

Download
memory/3932-309-0x000001CBCEE80000-0x000001CBCEE90000-memory.dmp

Filesize
64KB

Download
memory/3972-198-0x000001A0739B0000-0x000001A0739C0000-memory.dmp

Filesize
64KB

Download
memory/3972-200-0x000001A0739B0000-0x000001A0739C0000-memory.dmp

Filesize
64KB

Download
memory/3972-319-0x000001A0739B0000-0x000001A0739C0000-memory.dmp

Filesize
64KB

Download
memory/3976-318-0x0000012635700000-0x0000012635710000-memory.dmp

Filesize
64KB

Download
memory/3976-315-0x0000012635700000-0x0000012635710000-memory.dmp

Filesize
64KB

Download
memory/3976-177-0x0000012635700000-0x0000012635710000-memory.dmp

Filesize
64KB

Download
memory/4192-543-0x000002C1553B0000-0x000002C1553C0000-memory.dmp

Filesize
64KB

Download
memory/4192-521-0x000002C1553B0000-0x000002C1553C0000-memory.dmp

Filesize
64KB

Download
memory/4192-537-0x000002C1553B0000-0x000002C1553C0000-memory.dmp

Filesize
64KB

Download
memory/4352-316-0x00000211A5440000-0x00000211A5450000-memory.dmp

Filesize
64KB

Download
memory/4352-210-0x00000211A5440000-0x00000211A5450000-memory.dmp

Filesize
64KB

Download
memory/4672-297-0x0000020A7A230000-0x0000020A7A240000-memory.dmp

Filesize
64KB

Download
memory/5204-542-0x00000283154A0000-0x00000283154B0000-memory.dmp

Filesize
64KB

Download
memory/5204-535-0x00000283154A0000-0x00000283154B0000-memory.dmp

Filesize
64KB

Download
memory/5264-487-0x0000017279510000-0x0000017279520000-memory.dmp

Filesize
64KB

Download
memory/5264-472-0x0000017279510000-0x0000017279520000-memory.dmp

Filesize
64KB

Download
memory/5264-540-0x0000017279510000-0x0000017279520000-memory.dmp

Filesize
64KB

Download
memory/5264-532-0x0000017279510000-0x0000017279520000-memory.dmp

Filesize
64KB

Download
memory/5324-518-0x000001ED45C20000-0x000001ED45C30000-memory.dmp

Filesize
64KB

Download
memory/5324-534-0x000001ED45C20000-0x000001ED45C30000-memory.dmp

Filesize
64KB

Download
memory/5324-520-0x000001ED45C20000-0x000001ED45C30000-memory.dmp

Filesize
64KB

Download
memory/5792-522-0x000002A2D6650000-0x000002A2D6660000-memory.dmp

Filesize
64KB

Download
memory/6056-529-0x000002236DE40000-0x000002236DE50000-memory.dmp

Filesize
64KB

Download
memory/6056-528-0x000002236DE40000-0x000002236DE50000-memory.dmp

Filesize
64KB

Download
memory/6108-538-0x000002CBD8900000-0x000002CBD8910000-memory.dmp

Filesize
64KB

Download