dcrat | 97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a022d070a6aad92cf2c2bd42904450e.exe
Size

1.4MB
MD5

0a022d070a6aad92cf2c2bd42904450e
SHA1

3b50c321894bc0979a237c97bbc9e15cc8fa0060
SHA256

97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64
SHA512

e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740
SSDEEP

12288:CXqxzqntNfrYusEIXwRg1k6+OkJzbS4qUMEsgZN8NGfmurA4tD9j4oI6P+QSvTM9:EOqnzzYuVowK4OkJ/S4qUM7H14Bp+xG

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1460	schtasks.exe
		1248	schtasks.exe
File created	C:\Windows\addins\7a0fd90576e088		0a022d070a6aad92cf2c2bd42904450e.exe
		4292	schtasks.exe
		2584	schtasks.exe
		3704	schtasks.exe
		1912	schtasks.exe
		4708	schtasks.exe
		4800	schtasks.exe
		3900	schtasks.exe
		2092	schtasks.exe
		116	schtasks.exe
File created	C:\Windows\addins\explorer.exe		0a022d070a6aad92cf2c2bd42904450e.exe
		2520	schtasks.exe
		3776	schtasks.exe
		1536	schtasks.exe
		2032	schtasks.exe
		220	schtasks.exe
		776	schtasks.exe
		2420	schtasks.exe
		1900	schtasks.exe
		2384	schtasks.exe
		2280	schtasks.exe
		736	schtasks.exe
		2292	schtasks.exe
		3144	schtasks.exe
		3964	schtasks.exe
		2104	schtasks.exe
		4200	schtasks.exe
		1520	schtasks.exe
		1544	schtasks.exe
		228	schtasks.exe
		2424	schtasks.exe
		1740	schtasks.exe
		2244	schtasks.exe
		1376	schtasks.exe
		4940	schtasks.exe
		3212	schtasks.exe
		3488	schtasks.exe
		732	schtasks.exe
		3176	schtasks.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4784	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4784	schtasks.exe	24

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	0a022d070a6aad92cf2c2bd42904450e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	0a022d070a6aad92cf2c2bd42904450e.exe

Executes dropped EXE 1 IoCs

pid	Process
4688	fontdrvhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\lsass.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files (x86)\Microsoft\6203df4a6bafc7	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\Windows Mail\sppsvc.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\Windows Mail\0a1fd5f707cd16	0a022d070a6aad92cf2c2bd42904450e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\69ddcba757bf72	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Windows\addins\explorer.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File opened for modification	C:\Windows\addins\explorer.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Windows\addins\7a0fd90576e088	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Windows\DigitalLocker\en-US\smss.exe	0a022d070a6aad92cf2c2bd42904450e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1740	schtasks.exe
4708	schtasks.exe
1520	schtasks.exe
3212	schtasks.exe
1900	schtasks.exe
2384	schtasks.exe
732	schtasks.exe
1912	schtasks.exe
2280	schtasks.exe
1536	schtasks.exe
3488	schtasks.exe
2292	schtasks.exe
2424	schtasks.exe
3964	schtasks.exe
1248	schtasks.exe
220	schtasks.exe
228	schtasks.exe
3144	schtasks.exe
2244	schtasks.exe
4940	schtasks.exe
4200	schtasks.exe
3776	schtasks.exe
2092	schtasks.exe
4292	schtasks.exe
3704	schtasks.exe
1544	schtasks.exe
3176	schtasks.exe
2420	schtasks.exe
1376	schtasks.exe
4800	schtasks.exe
3900	schtasks.exe
776	schtasks.exe
2520	schtasks.exe
736	schtasks.exe
116	schtasks.exe
2584	schtasks.exe
1460	schtasks.exe
2032	schtasks.exe
2104	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	0a022d070a6aad92cf2c2bd42904450e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2160	0a022d070a6aad92cf2c2bd42904450e.exe
2520	powershell.exe
2520	powershell.exe
4260	powershell.exe
4260	powershell.exe
1148	powershell.exe
1148	powershell.exe
4992	powershell.exe
4992	powershell.exe
1460	powershell.exe
1460	powershell.exe
4836	powershell.exe
4836	powershell.exe
4436	powershell.exe
3744	powershell.exe
4436	powershell.exe
3744	powershell.exe
3848	powershell.exe
3848	powershell.exe
4368	powershell.exe
4368	powershell.exe
2520	powershell.exe
2380	powershell.exe
2380	powershell.exe
820	powershell.exe
820	powershell.exe
3848	powershell.exe
4992	powershell.exe
4260	powershell.exe
1148	powershell.exe
1460	schtasks.exe
4836	powershell.exe
2380	powershell.exe
4436	powershell.exe
3744	powershell.exe
4368	powershell.exe
820	powershell.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1744	0a022d070a6aad92cf2c2bd42904450e.exe
1356	powershell.exe
1356	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4688	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	0a022d070a6aad92cf2c2bd42904450e.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1744	0a022d070a6aad92cf2c2bd42904450e.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	4688	fontdrvhost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 4260	2160	0a022d070a6aad92cf2c2bd42904450e.exe	90
PID 2160 wrote to memory of 4260	2160	0a022d070a6aad92cf2c2bd42904450e.exe	90
PID 2160 wrote to memory of 2520	2160	0a022d070a6aad92cf2c2bd42904450e.exe	113
PID 2160 wrote to memory of 2520	2160	0a022d070a6aad92cf2c2bd42904450e.exe	113
PID 2160 wrote to memory of 4992	2160	0a022d070a6aad92cf2c2bd42904450e.exe	91
PID 2160 wrote to memory of 4992	2160	0a022d070a6aad92cf2c2bd42904450e.exe	91
PID 2160 wrote to memory of 3744	2160	0a022d070a6aad92cf2c2bd42904450e.exe	92
PID 2160 wrote to memory of 3744	2160	0a022d070a6aad92cf2c2bd42904450e.exe	92
PID 2160 wrote to memory of 1148	2160	0a022d070a6aad92cf2c2bd42904450e.exe	111
PID 2160 wrote to memory of 1148	2160	0a022d070a6aad92cf2c2bd42904450e.exe	111
PID 2160 wrote to memory of 1460	2160	0a022d070a6aad92cf2c2bd42904450e.exe	109
PID 2160 wrote to memory of 1460	2160	0a022d070a6aad92cf2c2bd42904450e.exe	109
PID 2160 wrote to memory of 820	2160	0a022d070a6aad92cf2c2bd42904450e.exe	107
PID 2160 wrote to memory of 820	2160	0a022d070a6aad92cf2c2bd42904450e.exe	107
PID 2160 wrote to memory of 4368	2160	0a022d070a6aad92cf2c2bd42904450e.exe	106
PID 2160 wrote to memory of 4368	2160	0a022d070a6aad92cf2c2bd42904450e.exe	106
PID 2160 wrote to memory of 4436	2160	0a022d070a6aad92cf2c2bd42904450e.exe	93
PID 2160 wrote to memory of 4436	2160	0a022d070a6aad92cf2c2bd42904450e.exe	93
PID 2160 wrote to memory of 4836	2160	0a022d070a6aad92cf2c2bd42904450e.exe	94
PID 2160 wrote to memory of 4836	2160	0a022d070a6aad92cf2c2bd42904450e.exe	94
PID 2160 wrote to memory of 3848	2160	0a022d070a6aad92cf2c2bd42904450e.exe	104
PID 2160 wrote to memory of 3848	2160	0a022d070a6aad92cf2c2bd42904450e.exe	104
PID 2160 wrote to memory of 2380	2160	0a022d070a6aad92cf2c2bd42904450e.exe	102
PID 2160 wrote to memory of 2380	2160	0a022d070a6aad92cf2c2bd42904450e.exe	102
PID 2160 wrote to memory of 3376	2160	0a022d070a6aad92cf2c2bd42904450e.exe	114
PID 2160 wrote to memory of 3376	2160	0a022d070a6aad92cf2c2bd42904450e.exe	114
PID 3376 wrote to memory of 4904	3376	cmd.exe	116
PID 3376 wrote to memory of 4904	3376	cmd.exe	116
PID 3376 wrote to memory of 1744	3376	cmd.exe	120
PID 3376 wrote to memory of 1744	3376	cmd.exe	120
PID 1744 wrote to memory of 4912	1744	0a022d070a6aad92cf2c2bd42904450e.exe	155
PID 1744 wrote to memory of 4912	1744	0a022d070a6aad92cf2c2bd42904450e.exe	155
PID 1744 wrote to memory of 1764	1744	0a022d070a6aad92cf2c2bd42904450e.exe	156
PID 1744 wrote to memory of 1764	1744	0a022d070a6aad92cf2c2bd42904450e.exe	156
PID 1744 wrote to memory of 4816	1744	0a022d070a6aad92cf2c2bd42904450e.exe	157
PID 1744 wrote to memory of 4816	1744	0a022d070a6aad92cf2c2bd42904450e.exe	157
PID 1744 wrote to memory of 1280	1744	0a022d070a6aad92cf2c2bd42904450e.exe	158
PID 1744 wrote to memory of 1280	1744	0a022d070a6aad92cf2c2bd42904450e.exe	158
PID 1744 wrote to memory of 2580	1744	0a022d070a6aad92cf2c2bd42904450e.exe	159
PID 1744 wrote to memory of 2580	1744	0a022d070a6aad92cf2c2bd42904450e.exe	159
PID 1744 wrote to memory of 676	1744	0a022d070a6aad92cf2c2bd42904450e.exe	160
PID 1744 wrote to memory of 676	1744	0a022d070a6aad92cf2c2bd42904450e.exe	160
PID 1744 wrote to memory of 1156	1744	0a022d070a6aad92cf2c2bd42904450e.exe	161
PID 1744 wrote to memory of 1156	1744	0a022d070a6aad92cf2c2bd42904450e.exe	161
PID 1744 wrote to memory of 3540	1744	0a022d070a6aad92cf2c2bd42904450e.exe	162
PID 1744 wrote to memory of 3540	1744	0a022d070a6aad92cf2c2bd42904450e.exe	162
PID 1744 wrote to memory of 1356	1744	0a022d070a6aad92cf2c2bd42904450e.exe	163
PID 1744 wrote to memory of 1356	1744	0a022d070a6aad92cf2c2bd42904450e.exe	163
PID 1744 wrote to memory of 2240	1744	0a022d070a6aad92cf2c2bd42904450e.exe	164
PID 1744 wrote to memory of 2240	1744	0a022d070a6aad92cf2c2bd42904450e.exe	164
PID 1744 wrote to memory of 3432	1744	0a022d070a6aad92cf2c2bd42904450e.exe	165
PID 1744 wrote to memory of 3432	1744	0a022d070a6aad92cf2c2bd42904450e.exe	165
PID 1744 wrote to memory of 4992	1744	0a022d070a6aad92cf2c2bd42904450e.exe	166
PID 1744 wrote to memory of 4992	1744	0a022d070a6aad92cf2c2bd42904450e.exe	166
PID 1744 wrote to memory of 4688	1744	0a022d070a6aad92cf2c2bd42904450e.exe	179
PID 1744 wrote to memory of 4688	1744	0a022d070a6aad92cf2c2bd42904450e.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe
"C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wBFOC1T0IQ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4904
- - C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe
    "C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Users\Admin\Templates\fontdrvhost.exe
      "C:\Users\Admin\Templates\fontdrvhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\odt\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0a022d070a6aad92cf2c2bd42904450e.exe.log

Filesize
1KB

MD5
c6ecc3bc2cdd7883e4f2039a5a5cf884

SHA1
20c9dd2a200e4b0390d490a7a76fa184bfc78151

SHA256
b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

SHA512
892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
272dc716c99407615cc54be63824cd1e

SHA1
6aeeeee0a254473427af394b161c1020cf74ec0a

SHA256
0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

SHA512
5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab1c06eb58feaa4c391aca847a9d8c22

SHA1
7135120dfad41b4d64e675294e1b974891b3ee76

SHA256
3705f63962d11b61c726853043b5c47800b77b3392f8ef42921fb31514eeba8e

SHA512
8fe9947248e64b2cb94af62bc8126f4c13700254a17a204b58535cb9ad32919be5aeca0e745127ceb8c666dc3b3140bb406d7591b32531c6c3eb1771ee571edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab1c06eb58feaa4c391aca847a9d8c22

SHA1
7135120dfad41b4d64e675294e1b974891b3ee76

SHA256
3705f63962d11b61c726853043b5c47800b77b3392f8ef42921fb31514eeba8e

SHA512
8fe9947248e64b2cb94af62bc8126f4c13700254a17a204b58535cb9ad32919be5aeca0e745127ceb8c666dc3b3140bb406d7591b32531c6c3eb1771ee571edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15b45335e7c2e7f19c76c86c0dc44f25

SHA1
541b528c4e73f038961f778b708a51d3e80429b4

SHA256
a6bca4723b2c559fb4a7526470f3b595d0a4d6e9e464e801faa57e6019d47a74

SHA512
fa9d898d9eef5844bdfa3f39c88e7a21656a7767e0e19322e980ae5b57520941a1327acde83427a5c06eae4af4e618bf9749bc319e60cd81d924edb3e665b7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0517d7daa86e87ab93c37adcb931f498

SHA1
6b243308a84f033c4943c7f63c0f824d8db31a13

SHA256
3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

SHA512
a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15b45335e7c2e7f19c76c86c0dc44f25

SHA1
541b528c4e73f038961f778b708a51d3e80429b4

SHA256
a6bca4723b2c559fb4a7526470f3b595d0a4d6e9e464e801faa57e6019d47a74

SHA512
fa9d898d9eef5844bdfa3f39c88e7a21656a7767e0e19322e980ae5b57520941a1327acde83427a5c06eae4af4e618bf9749bc319e60cd81d924edb3e665b7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15b45335e7c2e7f19c76c86c0dc44f25

SHA1
541b528c4e73f038961f778b708a51d3e80429b4

SHA256
a6bca4723b2c559fb4a7526470f3b595d0a4d6e9e464e801faa57e6019d47a74

SHA512
fa9d898d9eef5844bdfa3f39c88e7a21656a7767e0e19322e980ae5b57520941a1327acde83427a5c06eae4af4e618bf9749bc319e60cd81d924edb3e665b7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15b45335e7c2e7f19c76c86c0dc44f25

SHA1
541b528c4e73f038961f778b708a51d3e80429b4

SHA256
a6bca4723b2c559fb4a7526470f3b595d0a4d6e9e464e801faa57e6019d47a74

SHA512
fa9d898d9eef5844bdfa3f39c88e7a21656a7767e0e19322e980ae5b57520941a1327acde83427a5c06eae4af4e618bf9749bc319e60cd81d924edb3e665b7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34477c71724989cda19ddd7a5a4d7b29

SHA1
debaa011b19ba910190607cc62ed2ec2212dfa0c

SHA256
59a4123ada3faee2ab3d8be31e8b523c574acc9ade3761a4564db03f83190c98

SHA512
c61d2254e664ce601c58eae8ed3d0346ca399a780587ed884db66db5e345725597b8076fd6d0ada823df034d227f004a1c545d9f9fb6c7349adcfeb8215beee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34477c71724989cda19ddd7a5a4d7b29

SHA1
debaa011b19ba910190607cc62ed2ec2212dfa0c

SHA256
59a4123ada3faee2ab3d8be31e8b523c574acc9ade3761a4564db03f83190c98

SHA512
c61d2254e664ce601c58eae8ed3d0346ca399a780587ed884db66db5e345725597b8076fd6d0ada823df034d227f004a1c545d9f9fb6c7349adcfeb8215beee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyv33bsv.f3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wBFOC1T0IQ.bat

Filesize
235B

MD5
1cb114b9cdb9699b29b7d36785debf22

SHA1
e459f596c307b0bdd2ef340bef6e7755cb18278c

SHA256
ffec2703223a69f1eaeed2cf3d8153045af4f844cc7c739bbcfd814a3cac8902

SHA512
7dab3db78ec41d1b76d1ebad8928b356513194050513edf3f4ccec732cbe698d02e39fcdcddd016e92e49445f4dca210e6779c462806820d6f2904853480ebb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
C:\Users\Admin\Templates\fontdrvhost.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
C:\Windows\DigitalLocker\en-US\smss.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
memory/676-480-0x000001B875DC0000-0x000001B875DD0000-memory.dmp

Filesize
64KB

Download
memory/676-492-0x000001B875DC0000-0x000001B875DD0000-memory.dmp

Filesize
64KB

Download
memory/820-280-0x000002ED99C20000-0x000002ED99C30000-memory.dmp

Filesize
64KB

Download
memory/820-238-0x000002ED99C20000-0x000002ED99C30000-memory.dmp

Filesize
64KB

Download
memory/820-334-0x000002ED99B70000-0x000002ED99B8E000-memory.dmp

Filesize
120KB

Download
memory/820-336-0x000002ED99B90000-0x000002ED99BD8000-memory.dmp

Filesize
288KB

Download
memory/1148-325-0x0000025414480000-0x000002541449E000-memory.dmp

Filesize
120KB

Download
memory/1148-327-0x00000254144A0000-0x00000254144E8000-memory.dmp

Filesize
288KB

Download
memory/1148-286-0x0000025414470000-0x0000025414480000-memory.dmp

Filesize
64KB

Download
memory/1156-483-0x000001F11CE40000-0x000001F11CE50000-memory.dmp

Filesize
64KB

Download
memory/1156-497-0x000001F11CE40000-0x000001F11CE50000-memory.dmp

Filesize
64KB

Download
memory/1280-475-0x000001B7745A0000-0x000001B7745B0000-memory.dmp

Filesize
64KB

Download
memory/1280-495-0x000001B7745A0000-0x000001B7745B0000-memory.dmp

Filesize
64KB

Download
memory/1356-428-0x000001F9B68F0000-0x000001F9B6900000-memory.dmp

Filesize
64KB

Download
memory/1356-489-0x000001F9B68F0000-0x000001F9B6900000-memory.dmp

Filesize
64KB

Download
memory/1460-228-0x0000016C72D30000-0x0000016C72D40000-memory.dmp

Filesize
64KB

Download
memory/1460-305-0x0000016C72CE0000-0x0000016C72D28000-memory.dmp

Filesize
288KB

Download
memory/1460-229-0x0000016C72D30000-0x0000016C72D40000-memory.dmp

Filesize
64KB

Download
memory/1460-282-0x0000016C72D30000-0x0000016C72D40000-memory.dmp

Filesize
64KB

Download
memory/1460-276-0x0000016C72D30000-0x0000016C72D40000-memory.dmp

Filesize
64KB

Download
memory/1460-301-0x0000016C5A800000-0x0000016C5A81E000-memory.dmp

Filesize
120KB

Download
memory/1744-338-0x000000001BD50000-0x000000001BD60000-memory.dmp

Filesize
64KB

Download
memory/1764-486-0x0000010C9ED80000-0x0000010C9ED90000-memory.dmp

Filesize
64KB

Download
memory/2160-133-0x0000000000DB0000-0x0000000000F16000-memory.dmp

Filesize
1.4MB

Download
memory/2160-135-0x000000001D630000-0x000000001D680000-memory.dmp

Filesize
320KB

Download
memory/2160-134-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2240-461-0x000001D4F74D0000-0x000001D4F74E0000-memory.dmp

Filesize
64KB

Download
memory/2240-490-0x000001D4F74D0000-0x000001D4F74E0000-memory.dmp

Filesize
64KB

Download
memory/2240-476-0x000001D4F74D0000-0x000001D4F74E0000-memory.dmp

Filesize
64KB

Download
memory/2240-496-0x000001D4F74D0000-0x000001D4F74E0000-memory.dmp

Filesize
64KB

Download
memory/2380-277-0x0000019B27D90000-0x0000019B27DA0000-memory.dmp

Filesize
64KB

Download
memory/2380-235-0x0000019B27D90000-0x0000019B27DA0000-memory.dmp

Filesize
64KB

Download
memory/2380-326-0x0000019B0DDC0000-0x0000019B0DDDE000-memory.dmp

Filesize
120KB

Download
memory/2380-287-0x0000019B27D90000-0x0000019B27DA0000-memory.dmp

Filesize
64KB

Download
memory/2380-328-0x0000019B0FB60000-0x0000019B0FBA8000-memory.dmp

Filesize
288KB

Download
memory/2520-231-0x0000025EEECA0000-0x0000025EEECB0000-memory.dmp

Filesize
64KB

Download
memory/2520-240-0x0000025EEECA0000-0x0000025EEECB0000-memory.dmp

Filesize
64KB

Download
memory/2520-297-0x0000025EEEB10000-0x0000025EEEB2E000-memory.dmp

Filesize
120KB

Download
memory/2520-304-0x0000025EEF930000-0x0000025EEF978000-memory.dmp

Filesize
288KB

Download
memory/2580-481-0x0000026B5D0A0000-0x0000026B5D0B0000-memory.dmp

Filesize
64KB

Download
memory/2580-482-0x0000026B5D0A0000-0x0000026B5D0B0000-memory.dmp

Filesize
64KB

Download
memory/3432-478-0x0000023D2ED50000-0x0000023D2ED60000-memory.dmp

Filesize
64KB

Download
memory/3432-479-0x0000023D2ED50000-0x0000023D2ED60000-memory.dmp

Filesize
64KB

Download
memory/3540-418-0x0000029CD3BA0000-0x0000029CD3BB0000-memory.dmp

Filesize
64KB

Download
memory/3540-485-0x0000029CD3BA0000-0x0000029CD3BB0000-memory.dmp

Filesize
64KB

Download
memory/3540-493-0x0000029CD3BA0000-0x0000029CD3BB0000-memory.dmp

Filesize
64KB

Download
memory/3744-278-0x000001D732A90000-0x000001D732AA0000-memory.dmp

Filesize
64KB

Download
memory/3744-230-0x000001D732A90000-0x000001D732AA0000-memory.dmp

Filesize
64KB

Download
memory/3744-284-0x000001D732A90000-0x000001D732AA0000-memory.dmp

Filesize
64KB

Download
memory/3744-313-0x000001D732630000-0x000001D73264E000-memory.dmp

Filesize
120KB

Download
memory/3744-318-0x000001D732A30000-0x000001D732A78000-memory.dmp

Filesize
288KB

Download
memory/3848-272-0x000001E7B24D0000-0x000001E7B24E0000-memory.dmp

Filesize
64KB

Download
memory/3848-232-0x000001E7B24D0000-0x000001E7B24E0000-memory.dmp

Filesize
64KB

Download
memory/3848-303-0x000001E7B24B0000-0x000001E7B24CE000-memory.dmp

Filesize
120KB

Download
memory/3848-283-0x000001E7B24D0000-0x000001E7B24E0000-memory.dmp

Filesize
64KB

Download
memory/3848-307-0x000001E7B3230000-0x000001E7B3278000-memory.dmp

Filesize
288KB

Download
memory/4260-274-0x0000025C9D6C0000-0x0000025C9D6D0000-memory.dmp

Filesize
64KB

Download
memory/4260-210-0x0000025C9D6C0000-0x0000025C9D6D0000-memory.dmp

Filesize
64KB

Download
memory/4260-298-0x0000025C9D6A0000-0x0000025C9D6BE000-memory.dmp

Filesize
120KB

Download
memory/4260-302-0x0000025C9E350000-0x0000025C9E398000-memory.dmp

Filesize
288KB

Download
memory/4260-191-0x0000025C9D6C0000-0x0000025C9D6D0000-memory.dmp

Filesize
64KB

Download
memory/4368-237-0x000001C6F2A30000-0x000001C6F2A40000-memory.dmp

Filesize
64KB

Download
memory/4368-333-0x000001C6F2720000-0x000001C6F273E000-memory.dmp

Filesize
120KB

Download
memory/4368-335-0x000001C6F29E0000-0x000001C6F2A28000-memory.dmp

Filesize
288KB

Download
memory/4368-279-0x000001C6F2A30000-0x000001C6F2A40000-memory.dmp

Filesize
64KB

Download
memory/4368-239-0x000001C6F2A30000-0x000001C6F2A40000-memory.dmp

Filesize
64KB

Download
memory/4436-322-0x0000020159E10000-0x0000020159E58000-memory.dmp

Filesize
288KB

Download
memory/4436-317-0x0000020140DF0000-0x0000020140E0E000-memory.dmp

Filesize
120KB

Download
memory/4436-233-0x000002013F2A0000-0x000002013F2B0000-memory.dmp

Filesize
64KB

Download
memory/4436-234-0x000002013F2A0000-0x000002013F2B0000-memory.dmp

Filesize
64KB

Download
memory/4688-487-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4816-488-0x000002EB541F0000-0x000002EB54200000-memory.dmp

Filesize
64KB

Download
memory/4816-484-0x000002EB541F0000-0x000002EB54200000-memory.dmp

Filesize
64KB

Download
memory/4816-494-0x000002EB541F0000-0x000002EB54200000-memory.dmp

Filesize
64KB

Download
memory/4836-316-0x000001FBB7EC0000-0x000001FBB7EDE000-memory.dmp

Filesize
120KB

Download
memory/4836-321-0x000001FBD0110000-0x000001FBD0158000-memory.dmp

Filesize
288KB

Download
memory/4836-275-0x000001FBD0240000-0x000001FBD0250000-memory.dmp

Filesize
64KB

Download
memory/4836-285-0x000001FBD0240000-0x000001FBD0250000-memory.dmp

Filesize
64KB

Download
memory/4836-236-0x000001FBD0240000-0x000001FBD0250000-memory.dmp

Filesize
64KB

Download
memory/4992-306-0x0000021A80E90000-0x0000021A80EAE000-memory.dmp

Filesize
120KB

Download
memory/4992-491-0x000001F8F8870000-0x000001F8F8880000-memory.dmp

Filesize
64KB

Download
memory/4992-438-0x000001F8F8870000-0x000001F8F8880000-memory.dmp

Filesize
64KB

Download
memory/4992-281-0x0000021AFFF20000-0x0000021AFFF30000-memory.dmp

Filesize
64KB

Download
memory/4992-227-0x0000021AFFF20000-0x0000021AFFF30000-memory.dmp

Filesize
64KB

Download
memory/4992-220-0x0000021AFFF20000-0x0000021AFFF30000-memory.dmp

Filesize
64KB

Download
memory/4992-273-0x0000021AFFF20000-0x0000021AFFF30000-memory.dmp

Filesize
64KB

Download
memory/4992-308-0x0000021A80EB0000-0x0000021A80EF8000-memory.dmp

Filesize
288KB

Download
memory/4992-159-0x0000021AE7B80000-0x0000021AE7BA2000-memory.dmp

Filesize
136KB

Download