dcrat | 78ef720a295f0a09aa9c02eddc8f7ebdcfa5dc6355a3732b9dd5ab3e0d20e6c2

Analysis

max time kernel
87s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Size

1.9MB
MD5

39dac645fb473abe88ebf3bb28e360b0
SHA1

e2b8488b672d5765b404dc44f1ee6e0e005a2932
SHA256

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7
SHA512

1f6d438429d1e7268fd9e757e2ae2af3a4418a700059cd69c712ed6dd0304bafc76400334a1a44fb45683908ec39bbfacfc2bf83e15ff2221de087e168dce6e2
SSDEEP

24576:dCNqlizzN4yGwrXLoamoWvXa7IwfvoMODACOfCW2lPy1A9Qsy2lPy1A9QnG:UwgKyGwHthIwf7gOqW2wKQsy2wKQnG

Score

10^/10

dcrat evasion infostealer rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3452	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3452	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

backgroundTaskHost.exe7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2064-133-0x0000000000420000-0x0000000000616000-memory.dmp	dcrat
C:\Users\Public\Videos\winlogon.exe	dcrat
C:\odt\RCX79DD.tmp	dcrat
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	dcrat
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

Executes dropped EXE 1 IoCs

Processes:

backgroundTaskHost.exe

pid process

3240 backgroundTaskHost.exe

pid	process
3240	backgroundTaskHost.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2064-133-0x0000000000420000-0x0000000000616000-memory.dmp	themida
C:\Users\Public\Videos\winlogon.exe	themida
C:\odt\RCX79DD.tmp	themida
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	themida
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exebackgroundTaskHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Drops file in Program Files directory 15 IoCs

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX776A.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8511.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\wininit.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX774A.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8522.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX82CD.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX82EE.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\6cb0b6c459d5d3	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

Drops file in Windows directory 5 IoCs

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

description	ioc	process
File created	C:\Windows\Fonts\fontdrvhost.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File created	C:\Windows\Fonts\5b884080fd4f94	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Windows\Fonts\RCX8BBF.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Windows\Fonts\RCX8BCF.tmp	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
File opened for modification	C:\Windows\Fonts\fontdrvhost.exe	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3792	schtasks.exe
3764	schtasks.exe
2724	schtasks.exe
1748	schtasks.exe
4292	schtasks.exe
2056	schtasks.exe
996	schtasks.exe
880	schtasks.exe
2980	schtasks.exe
2228	schtasks.exe
4156	schtasks.exe
1036	schtasks.exe
4468	schtasks.exe
4228	schtasks.exe
3892	schtasks.exe
772	schtasks.exe
2012	schtasks.exe
4048	schtasks.exe
4744	schtasks.exe
3980	schtasks.exe
220	schtasks.exe
2096	schtasks.exe
1556	schtasks.exe
2256	schtasks.exe
752	schtasks.exe
4400	schtasks.exe
2968	schtasks.exe
2852	schtasks.exe
4264	schtasks.exe
2116	schtasks.exe
2420	schtasks.exe
4456	schtasks.exe
3244	schtasks.exe
4684	schtasks.exe
228	schtasks.exe
3900	schtasks.exe
4476	schtasks.exe
3672	schtasks.exe
3772	schtasks.exe

Modifies registry class 1 IoCs

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exe

pid	process
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
3988	powershell.exe
3988	powershell.exe
1748	powershell.exe
1748	powershell.exe
4124	powershell.exe
4124	powershell.exe
2556	powershell.exe
2556	powershell.exe
4156	powershell.exe
4156	powershell.exe
4268	powershell.exe
4268	powershell.exe
4264	powershell.exe
4264	powershell.exe
3380	powershell.exe
3380	powershell.exe
2428	powershell.exe
2428	powershell.exe
1860	powershell.exe
1860	powershell.exe
216	powershell.exe
216	powershell.exe
2492	powershell.exe
2492	powershell.exe
1740	powershell.exe
1740	powershell.exe
320	powershell.exe
320	powershell.exe
2428	powershell.exe
3988	powershell.exe
3988	powershell.exe
1748	powershell.exe
3380	powershell.exe
4268	powershell.exe
4264	powershell.exe
216	powershell.exe
1860	powershell.exe
1740	powershell.exe
2492	powershell.exe
2556	powershell.exe
4156	powershell.exe
4124	powershell.exe
4124	powershell.exe
320	powershell.exe
3240	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3240	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 4268	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4268	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 3988	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 3988	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2556	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2556	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 3380	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 3380	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4124	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4124	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4156	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4156	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4264	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 4264	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1860	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1860	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1740	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1740	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 320	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 320	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2492	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2492	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 216	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 216	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1748	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 1748	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2428	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2428	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	powershell.exe
PID 2064 wrote to memory of 2236	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	cmd.exe
PID 2064 wrote to memory of 2236	2064	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe	cmd.exe
PID 2236 wrote to memory of 2228	2236	cmd.exe	w32tm.exe
PID 2236 wrote to memory of 2228	2236	cmd.exe	w32tm.exe
PID 2236 wrote to memory of 3240	2236	cmd.exe	backgroundTaskHost.exe
PID 2236 wrote to memory of 3240	2236	cmd.exe	backgroundTaskHost.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exebackgroundTaskHost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe
"C:\Users\Admin\AppData\Local\Temp\7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\SearchApp.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WmiPrvSE.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2228

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Documents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe
Filesize
1.9MB

MD5
39dac645fb473abe88ebf3bb28e360b0

SHA1
e2b8488b672d5765b404dc44f1ee6e0e005a2932

SHA256
7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7

SHA512
1f6d438429d1e7268fd9e757e2ae2af3a4418a700059cd69c712ed6dd0304bafc76400334a1a44fb45683908ec39bbfacfc2bf83e15ff2221de087e168dce6e2

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe
Filesize
1.9MB

MD5
39dac645fb473abe88ebf3bb28e360b0

SHA1
e2b8488b672d5765b404dc44f1ee6e0e005a2932

SHA256
7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7

SHA512
1f6d438429d1e7268fd9e757e2ae2af3a4418a700059cd69c712ed6dd0304bafc76400334a1a44fb45683908ec39bbfacfc2bf83e15ff2221de087e168dce6e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat
Filesize
256B

MD5
07d21ac269c73019313cf3b16019256a

SHA1
d9381aaaea7d5c0071615c1bb93490aea91bd8de

SHA256
64b755dfeb148db3d4b0da0c757b353c2fcb211259cb4d0d35de25d0d09bac01

SHA512
b513b22fd65f41972410a76381cdc8473d482c66d3dccabc85d766c3d97b5638813059b64ab4701352b8ef0e2215b9eacf8bac50b3d30c6620aa9b36f6732ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bzusobr.w5o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Videos\winlogon.exe
Filesize
1.9MB

MD5
39dac645fb473abe88ebf3bb28e360b0

SHA1
e2b8488b672d5765b404dc44f1ee6e0e005a2932

SHA256
7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7

SHA512
1f6d438429d1e7268fd9e757e2ae2af3a4418a700059cd69c712ed6dd0304bafc76400334a1a44fb45683908ec39bbfacfc2bf83e15ff2221de087e168dce6e2

Download Submit
C:\odt\RCX79DD.tmp
Filesize
1.9MB

MD5
a96934f049e3249c508d90060edc994f

SHA1
b1e466068ec97a87ae678230eac198955dfa57a4

SHA256
115cd7e94b7d91c51d1f3e10762295b74ed14410edd9269efbb4b00789828556

SHA512
8d2623a4b28811fdc5662b7f995d01e7df954af00c7897adefc1ecb6c3ae386e77f9cf6e00a02a1f217bff64bee18af10f2d94ea1575f0b42543118c23e32562

Download Submit
memory/216-478-0x000001B0B4630000-0x000001B0B4640000-memory.dmp

Filesize
64KB

Download
memory/216-371-0x000001B0B4630000-0x000001B0B4640000-memory.dmp

Filesize
64KB

Download
memory/320-481-0x00000235F1220000-0x00000235F1230000-memory.dmp

Filesize
64KB

Download
memory/320-441-0x00000235F1220000-0x00000235F1230000-memory.dmp

Filesize
64KB

Download
memory/1740-382-0x0000022ECAF20000-0x0000022ECAF30000-memory.dmp

Filesize
64KB

Download
memory/1740-473-0x0000022ECAF20000-0x0000022ECAF30000-memory.dmp

Filesize
64KB

Download
memory/1748-434-0x000001CBD66E0000-0x000001CBD66F0000-memory.dmp

Filesize
64KB

Download
memory/1748-475-0x000001CBD66E0000-0x000001CBD66F0000-memory.dmp

Filesize
64KB

Download
memory/1860-479-0x0000014798290000-0x00000147982A0000-memory.dmp

Filesize
64KB

Download
memory/2064-291-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/2064-133-0x0000000000420000-0x0000000000616000-memory.dmp

Filesize
2.0MB

Download
memory/2064-136-0x000000001D100000-0x000000001D628000-memory.dmp

Filesize
5.2MB

Download
memory/2064-135-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/2064-134-0x000000001C8C0000-0x000000001C910000-memory.dmp

Filesize
320KB

Download
memory/2492-440-0x000001C2740E0000-0x000001C2740F0000-memory.dmp

Filesize
64KB

Download
memory/2556-361-0x000001473BC10000-0x000001473BC20000-memory.dmp

Filesize
64KB

Download
memory/2556-347-0x000001473BC10000-0x000001473BC20000-memory.dmp

Filesize
64KB

Download
memory/2556-480-0x000001473BC10000-0x000001473BC20000-memory.dmp

Filesize
64KB

Download
memory/2556-511-0x000001473BC10000-0x000001473BC20000-memory.dmp

Filesize
64KB

Download
memory/3240-516-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/3380-476-0x000001BB44670000-0x000001BB44680000-memory.dmp

Filesize
64KB

Download
memory/3988-474-0x0000028E5B140000-0x0000028E5B150000-memory.dmp

Filesize
64KB

Download
memory/4124-337-0x0000027045BA0000-0x0000027045BB0000-memory.dmp

Filesize
64KB

Download
memory/4124-396-0x0000027045BB0000-0x0000027045BD2000-memory.dmp

Filesize
136KB

Download
memory/4156-512-0x0000020F6B0E0000-0x0000020F6B0F0000-memory.dmp

Filesize
64KB

Download
memory/4156-425-0x0000020F6B0E0000-0x0000020F6B0F0000-memory.dmp

Filesize
64KB

Download
memory/4156-427-0x0000020F6B0E0000-0x0000020F6B0F0000-memory.dmp

Filesize
64KB

Download
memory/4264-438-0x000001ECE7080000-0x000001ECE7090000-memory.dmp

Filesize
64KB

Download
memory/4264-439-0x000001ECE7080000-0x000001ECE7090000-memory.dmp

Filesize
64KB

Download
memory/4264-477-0x000001ECE7080000-0x000001ECE7090000-memory.dmp

Filesize
64KB

Download
memory/4268-336-0x0000013529C00000-0x0000013529C10000-memory.dmp

Filesize
64KB

Download
memory/4268-335-0x0000013529C00000-0x0000013529C10000-memory.dmp

Filesize
64KB

Download