dcrat | 779944ef7b50dcc97c14b28c133b36f93c33299381e17ce80444562fdd82a79c

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extrude.exe
Size

1.1MB
MD5

75b7f43476e40833c80636fa9e6b7ebc
SHA1

75849108978003895e774680549cad97edb215e9
SHA256

89b41e3a1d1feef8f7ada88762624d7bd92a8fc2d2a1549741ca83b6512c3ef1
SHA512

aa8ac4e5ac2bd9f605fca5275888bfa533701f3fddef7d5d6344a8957bbfe4385e6ccdf562b19e9e4c00eeed35792e1ced71ffb9c7a35eec5bf45e938a028a8a
SSDEEP

24576:P2G/nvxW3Wn0VZlQoCOXU/UUjxZXSzHifMw:PbA3pVZlQ7OXGX+zCZ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4584	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\BridgeMsrefCommon\runtimedll.exe	dcrat
C:\BridgeMsrefCommon\runtimedll.exe	dcrat
behavioral1/memory/3084-145-0x0000000000010000-0x00000000000E6000-memory.dmp	dcrat
C:\BridgeMsrefCommon\StartMenuExperienceHost.exe	dcrat
C:\BridgeMsrefCommon\runtimedll.exe	dcrat
C:\Program Files (x86)\WindowsPowerShell\explorer.exe	dcrat
C:\Program Files (x86)\WindowsPowerShell\explorer.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runtimedll.exeExtrude.exeWScript.exeruntimedll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	runtimedll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Extrude.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	runtimedll.exe

Executes dropped EXE 3 IoCs

Processes:

runtimedll.exeruntimedll.exeexplorer.exe

pid process

3084 runtimedll.exe
4628 runtimedll.exe
2408 explorer.exe

Drops file in Program Files directory 13 IoCs

Processes:

runtimedll.exeruntimedll.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\en-US\69ddcba757bf72	runtimedll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	runtimedll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\runtimedll.exe	runtimedll.exe
File created	C:\Program Files (x86)\WindowsPowerShell\explorer.exe	runtimedll.exe
File created	C:\Program Files (x86)\WindowsPowerShell\7a0fd90576e088	runtimedll.exe
File created	C:\Program Files\Windows Mail\services.exe	runtimedll.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\smss.exe	runtimedll.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\smss.exe	runtimedll.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	runtimedll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	runtimedll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\22be2db5f700a7	runtimedll.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\unsecapp.exe	runtimedll.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\29c1c3cc0f7685	runtimedll.exe

Drops file in Windows directory 8 IoCs

Processes:

runtimedll.exeruntimedll.exe

description	ioc	process
File created	C:\Windows\L2Schemas\9e8d7a4ca61bd9	runtimedll.exe
File created	C:\Windows\addins\StartMenuExperienceHost.exe	runtimedll.exe
File created	C:\Windows\addins\55b276f4edf653	runtimedll.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\WaaSMedicAgent.exe	runtimedll.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\c82b8037eab33d	runtimedll.exe
File created	C:\Windows\PolicyDefinitions\en-US\sihost.exe	runtimedll.exe
File created	C:\Windows\PolicyDefinitions\en-US\66fc9ff0ee96c2	runtimedll.exe
File created	C:\Windows\L2Schemas\RuntimeBroker.exe	runtimedll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
60	schtasks.exe
3740	schtasks.exe
3980	schtasks.exe
1240	schtasks.exe
4296	schtasks.exe
796	schtasks.exe
1348	schtasks.exe
3320	schtasks.exe
3480	schtasks.exe
4492	schtasks.exe
4788	schtasks.exe
3644	schtasks.exe
4316	schtasks.exe
1504	schtasks.exe
2428	schtasks.exe
1168	schtasks.exe
1180	schtasks.exe
4368	schtasks.exe
2296	schtasks.exe
3916	schtasks.exe
4792	schtasks.exe
548	schtasks.exe
3572	schtasks.exe
1496	schtasks.exe
4712	schtasks.exe
1664	schtasks.exe
4968	schtasks.exe
1500	schtasks.exe
3432	schtasks.exe
2248	schtasks.exe
4568	schtasks.exe
940	schtasks.exe
2864	schtasks.exe
4864	schtasks.exe
1592	schtasks.exe
3704	schtasks.exe
1636	schtasks.exe
3240	schtasks.exe
2804	schtasks.exe
1344	schtasks.exe
4432	schtasks.exe
4400	schtasks.exe
628	schtasks.exe
4408	schtasks.exe
1556	schtasks.exe
5072	schtasks.exe
1608	schtasks.exe
1816	schtasks.exe
1968	schtasks.exe
2748	schtasks.exe
3208	schtasks.exe
4104	schtasks.exe
4412	schtasks.exe
3840	schtasks.exe
3720	schtasks.exe
4024	schtasks.exe
3304	schtasks.exe
1124	schtasks.exe
484	schtasks.exe
1096	schtasks.exe
2496	schtasks.exe
2856	schtasks.exe
2312	schtasks.exe
3604	schtasks.exe

Modifies registry class 2 IoCs

Processes:

runtimedll.exeExtrude.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	runtimedll.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Extrude.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

runtimedll.exeruntimedll.exeexplorer.exe

pid	process
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
3084	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
4628	runtimedll.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2408 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

runtimedll.exeruntimedll.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 3084 runtimedll.exe
Token: SeDebugPrivilege 4628 runtimedll.exe
Token: SeDebugPrivilege 2408 explorer.exe

pid	process
2408	explorer.exe

description	pid	process
Token: SeDebugPrivilege	3084	runtimedll.exe
Token: SeDebugPrivilege	4628	runtimedll.exe
Token: SeDebugPrivilege	2408	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Extrude.exeWScript.execmd.exeruntimedll.exeruntimedll.execmd.exe

description	pid	process	target process
PID 4144 wrote to memory of 4420	4144	Extrude.exe	WScript.exe
PID 4144 wrote to memory of 4420	4144	Extrude.exe	WScript.exe
PID 4144 wrote to memory of 4420	4144	Extrude.exe	WScript.exe
PID 4420 wrote to memory of 228	4420	WScript.exe	cmd.exe
PID 4420 wrote to memory of 228	4420	WScript.exe	cmd.exe
PID 4420 wrote to memory of 228	4420	WScript.exe	cmd.exe
PID 228 wrote to memory of 3084	228	cmd.exe	runtimedll.exe
PID 228 wrote to memory of 3084	228	cmd.exe	runtimedll.exe
PID 3084 wrote to memory of 4628	3084	runtimedll.exe	runtimedll.exe
PID 3084 wrote to memory of 4628	3084	runtimedll.exe	runtimedll.exe
PID 4628 wrote to memory of 3056	4628	runtimedll.exe	cmd.exe
PID 4628 wrote to memory of 3056	4628	runtimedll.exe	cmd.exe
PID 3056 wrote to memory of 3932	3056	cmd.exe	w32tm.exe
PID 3056 wrote to memory of 3932	3056	cmd.exe	w32tm.exe
PID 3056 wrote to memory of 2408	3056	cmd.exe	explorer.exe
PID 3056 wrote to memory of 2408	3056	cmd.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Extrude.exe
"C:\Users\Admin\AppData\Local\Temp\Extrude.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BridgeMsrefCommon\qI5u7QOfYDjKkf6Q4X3.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BridgeMsrefCommon\NnBhGXXJTE6iCgw3KRayFQHoiixxX8.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\BridgeMsrefCommon\runtimedll.exe
"C:\BridgeMsrefCommon\runtimedll.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\BridgeMsrefCommon\runtimedll.exe
"C:\BridgeMsrefCommon\runtimedll.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kk868PkNGM.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3932

C:\Program Files (x86)\WindowsPowerShell\explorer.exe
"C:\Program Files (x86)\WindowsPowerShell\explorer.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\BridgeMsrefCommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\BridgeMsrefCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\BridgeMsrefCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\BridgeMsrefCommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BridgeMsrefCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\BridgeMsrefCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\BridgeMsrefCommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\BridgeMsrefCommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\BridgeMsrefCommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\BridgeMsrefCommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BridgeMsrefCommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\BridgeMsrefCommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimedllr" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\runtimedll.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimedll" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\runtimedll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimedllr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\runtimedll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeMsrefCommon\NnBhGXXJTE6iCgw3KRayFQHoiixxX8.bat
Filesize
37B

MD5
2254ed9a44ae57490b8f9680f9ec7b5d

SHA1
47ed75fadc44157b9519334a7d221fda4075355b

SHA256
de7c145a5f9b4e31004701eb4117244bfeb0c2f2e75345b166a3d50105f496e9

SHA512
4094a38e763f80c896e253f48e048a267a73c1e0ee1b4875055042d119e1290bd72b500c1ed04fdf55363a7f1d099dcb57919743777bef1dd56495ab1139c6e3

Download Submit
C:\BridgeMsrefCommon\StartMenuExperienceHost.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\BridgeMsrefCommon\qI5u7QOfYDjKkf6Q4X3.vbe
Filesize
224B

MD5
145266da6b4910c1b890e040b1333727

SHA1
841d6c8c8cc477cab8a6a7c9de53b4c0de3c713f

SHA256
6f635503b599c0652d06839f04dbba9db5df17db04d7678faa8df14ef6e2180b

SHA512
a67205ab3b5eab3f38ea10b6fea04292c3010b16dedbc20a4a7d82db9c58b5c5abe9d593e15fc5803bd3cd56d24be37998a2a06822ab91d515ed4b23a7e4de8e

Download Submit
C:\BridgeMsrefCommon\runtimedll.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\BridgeMsrefCommon\runtimedll.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\BridgeMsrefCommon\runtimedll.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\Program Files (x86)\WindowsPowerShell\explorer.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\Program Files (x86)\WindowsPowerShell\explorer.exe
Filesize
828KB

MD5
0df96d6a4484ed8030f85948878a33b5

SHA1
6c7578e67107fa53b90a189c05f0da882ec5cca4

SHA256
650045728996670bbedf94be22d67bfb7cdad5332a7e5ec25bdfba253fa20897

SHA512
65ee59e185617dcbe23f55acde016b9be6cddd30cc52f6889aa0753f739e3bee94c0bbd9f06206389b0851780c6339437392909bdab68f884ed11efcf0c97784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runtimedll.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kk868PkNGM.bat
Filesize
218B

MD5
e955da640d0fa7b23202e016c2c00f14

SHA1
527fa194cbed948800cd591593063966afaa2137

SHA256
7fce7a4c4dd13ff0fb973061bdadc653eb9ad5a524b447ed32f1f5eab82fc384

SHA512
d78e5185f7e926b3ce1e1d82ebbd7e33ef0b62b9422499c0933d562a81646bf0f08ae805a2c1bdbcb5879cd6cb66b6724dd255d4f83d3920c1c12df864c084d3

Download Submit
memory/2408-210-0x000000001C8E0000-0x000000001C8F0000-memory.dmp

Filesize
64KB

Download
memory/2408-209-0x000000001C8E0000-0x000000001C8F0000-memory.dmp

Filesize
64KB

Download
memory/3084-156-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3084-145-0x0000000000010000-0x00000000000E6000-memory.dmp

Filesize
856KB

Download
memory/4628-168-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download