dcrat | 294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15

Analysis

max time kernel
91s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fund.exe
Size

2.0MB
MD5

2d63112893ec4a3142f4f0b1f16f56db
SHA1

108a292cf6ea50e137a192aae121a8c6bd4c20dc
SHA256

294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15
SHA512

0a22a2fc4cc40e483127571601e534d51fd284816d77f2150c58d9215ae83b7180d132121be1d9d56b838e27e5072d2145f7a8a5c2da38b999977d26b22e82ad
SSDEEP

49152:ubA3j5/MFK5hftE2CQdLYlGU/qPWbQCVLsMhdzRNlbGM:ubKMFA1dElGfWbQCVLsMxr

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	180	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	748	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	748	schtasks.exe	84

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000600000002312a-143.dat	dcrat
behavioral2/files/0x000600000002312a-144.dat	dcrat
behavioral2/memory/4812-145-0x0000000000580000-0x0000000000746000-memory.dmp	dcrat
behavioral2/files/0x0006000000023130-151.dat	dcrat
behavioral2/files/0x0006000000023158-187.dat	dcrat
behavioral2/files/0x0007000000023135-226.dat	dcrat
behavioral2/files/0x000d000000023138-278.dat	dcrat
behavioral2/files/0x000d00000002314e-506.dat	dcrat
behavioral2/files/0x000d00000002314e-507.dat	dcrat
behavioral2/memory/2808-509-0x0000000000680000-0x0000000000846000-memory.dmp	dcrat
behavioral2/files/0x000d00000002314e-561.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	comSvc.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	fund.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	comSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 3 IoCs

pid	Process
4812	comSvc.exe
2808	lsass.exe
2176	lsass.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\RCXC08D.tmp	comSvc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\wininit.exe	comSvc.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\StartMenuExperienceHost.exe	comSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\69ddcba757bf72	comSvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\wininit.exe	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXAFF4.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe	comSvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\StartMenuExperienceHost.exe	comSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe	comSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe	comSvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RCXB4BB.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXBBA6.tmp	comSvc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\RCXC05D.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe	comSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\0a1fd5f707cd16	comSvc.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\55b276f4edf653	comSvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\56085415360792	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXB072.tmp	comSvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RCXB4EA.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXBBC6.tmp	comSvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\comSvc.exe	comSvc.exe
File created	C:\Windows\DiagTrack\Settings\SppExtComObj.exe	comSvc.exe
File created	C:\Windows\DiagTrack\Settings\e1ef82546f0b02	comSvc.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXBE19.tmp	comSvc.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXBE39.tmp	comSvc.exe
File opened for modification	C:\Windows\DiagTrack\Settings\SppExtComObj.exe	comSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5072	schtasks.exe
2060	schtasks.exe
1380	schtasks.exe
1656	schtasks.exe
2732	schtasks.exe
5036	schtasks.exe
1104	schtasks.exe
3752	schtasks.exe
2860	schtasks.exe
3060	schtasks.exe
2556	schtasks.exe
4372	schtasks.exe
2800	schtasks.exe
2384	schtasks.exe
4184	schtasks.exe
376	schtasks.exe
4504	schtasks.exe
3800	schtasks.exe
680	schtasks.exe
4500	schtasks.exe
2596	schtasks.exe
4824	schtasks.exe
4660	schtasks.exe
4872	schtasks.exe
1628	schtasks.exe
1052	schtasks.exe
180	schtasks.exe
1556	schtasks.exe
4996	schtasks.exe
2740	schtasks.exe
1384	schtasks.exe
3796	schtasks.exe
356	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings	fund.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	comSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4812	comSvc.exe
4908	powershell.exe
4908	powershell.exe
488	powershell.exe
488	powershell.exe
1120	powershell.exe
1120	powershell.exe
2636	powershell.exe
2636	powershell.exe
4856	powershell.exe
4856	powershell.exe
3508	powershell.exe
3508	powershell.exe
4848	powershell.exe
4848	powershell.exe
2040	powershell.exe
2040	powershell.exe
632	powershell.exe
632	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	comSvc.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2808	lsass.exe
Token: SeDebugPrivilege	2176	lsass.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3784	1708	fund.exe	80
PID 1708 wrote to memory of 3784	1708	fund.exe	80
PID 1708 wrote to memory of 3784	1708	fund.exe	80
PID 3784 wrote to memory of 4668	3784	WScript.exe	81
PID 3784 wrote to memory of 4668	3784	WScript.exe	81
PID 3784 wrote to memory of 4668	3784	WScript.exe	81
PID 4668 wrote to memory of 4812	4668	cmd.exe	83
PID 4668 wrote to memory of 4812	4668	cmd.exe	83
PID 4812 wrote to memory of 488	4812	comSvc.exe	118
PID 4812 wrote to memory of 488	4812	comSvc.exe	118
PID 4812 wrote to memory of 3508	4812	comSvc.exe	121
PID 4812 wrote to memory of 3508	4812	comSvc.exe	121
PID 4812 wrote to memory of 4908	4812	comSvc.exe	120
PID 4812 wrote to memory of 4908	4812	comSvc.exe	120
PID 4812 wrote to memory of 1120	4812	comSvc.exe	143
PID 4812 wrote to memory of 1120	4812	comSvc.exe	143
PID 4812 wrote to memory of 4856	4812	comSvc.exe	142
PID 4812 wrote to memory of 4856	4812	comSvc.exe	142
PID 4812 wrote to memory of 4976	4812	comSvc.exe	140
PID 4812 wrote to memory of 4976	4812	comSvc.exe	140
PID 4812 wrote to memory of 2636	4812	comSvc.exe	139
PID 4812 wrote to memory of 2636	4812	comSvc.exe	139
PID 4812 wrote to memory of 632	4812	comSvc.exe	137
PID 4812 wrote to memory of 632	4812	comSvc.exe	137
PID 4812 wrote to memory of 2352	4812	comSvc.exe	136
PID 4812 wrote to memory of 2352	4812	comSvc.exe	136
PID 4812 wrote to memory of 2040	4812	comSvc.exe	122
PID 4812 wrote to memory of 2040	4812	comSvc.exe	122
PID 4812 wrote to memory of 3844	4812	comSvc.exe	134
PID 4812 wrote to memory of 3844	4812	comSvc.exe	134
PID 4812 wrote to memory of 2312	4812	comSvc.exe	133
PID 4812 wrote to memory of 2312	4812	comSvc.exe	133
PID 4812 wrote to memory of 4848	4812	comSvc.exe	124
PID 4812 wrote to memory of 4848	4812	comSvc.exe	124
PID 4812 wrote to memory of 2808	4812	comSvc.exe	144
PID 4812 wrote to memory of 2808	4812	comSvc.exe	144
PID 2808 wrote to memory of 4972	2808	lsass.exe	145
PID 2808 wrote to memory of 4972	2808	lsass.exe	145
PID 2808 wrote to memory of 4200	2808	lsass.exe	146
PID 2808 wrote to memory of 4200	2808	lsass.exe	146
PID 4972 wrote to memory of 2176	4972	WScript.exe	162
PID 4972 wrote to memory of 2176	4972	WScript.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fund.exe
"C:\Users\Admin\AppData\Local\Temp\fund.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\DriverHostCrtNet\comSvc.exe
      "C:\DriverHostCrtNet\comSvc.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\odt\lsass.exe
        
        "C:\odt\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c389029c-c1e6-48cb-9b37-63c462f24822.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\odt\lsass.exe
        
        C:\odt\lsass.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62440da9-bd4c-4f02-b799-0534a68dc4dc.vbs"
        6⤵
        
        PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\DriverHostCrtNet\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\DriverHostCrtNet\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\DriverHostCrtNet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\DriverHostCrtNet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\DriverHostCrtNet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\Settings\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverHostCrtNet\ELvGRxvU.bat

Filesize
32B

MD5
39e72d40a9ddaaf86994f941af3f7465

SHA1
e4b7c6d895cb2ce60391ab1a4363425868b63204

SHA256
4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae

SHA512
beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1

Download Submit
C:\DriverHostCrtNet\RCXA8FA.tmp

Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
C:\DriverHostCrtNet\Registry.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe

Filesize
201B

MD5
82adae7375b04faa5979ee4a8ec018fe

SHA1
03399a4be44e3506e924019af67fbc4d5d52368b

SHA256
3a1dc9b632500be6a83a3ce53de4e6e5e09f2ea48ab7a7d79f51b68ec2278f44

SHA512
56b4c020d393ca69369fc538affb0787a19831e0536a6c61080c4c2e05c12624fb0bed5456676daaa09591c163ce6cd229f1e723c53965c2212912d442464c4a

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXBBA6.tmp

Filesize
1.7MB

MD5
b73d487ad9216c42e6189c4480640a64

SHA1
a49a617aa8d1ab9da10ce423d0786ef7cf3f0b57

SHA256
2ea655ec5003ef1e2be74515ec421cb404e8d1ac494e9ca37e7610b25882bf52

SHA512
42c91695760c23bafcdd478a6f2f53b42083134eacb2513c42843af54e70664fe6019af9e91cf3aeca3e2e3ce62d7b55a88e63d4067b5b31dc6c27d26708f3e5

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe

Filesize
1.7MB

MD5
17d59bbb11d456a98cc510834abcfacd

SHA1
ffbfd72687ba9e419dc519fe92134a4ab922aa6f

SHA256
1ddc8396cf8b424afb8754f0b3e0c37ae7d9fc6a5cb9126fc775a270e7818d32

SHA512
4331df0447b83bf491d03c577ce0d516875a6e8e1e4cbd2441ead2d2706386e5b04c77c19bcb774b0e16b7897f30fa0f327159d5405ff9f20133d473ee9c4a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\62440da9-bd4c-4f02-b799-0534a68dc4dc.vbs

Filesize
468B

MD5
48db2f45322049028a325024a3a9b846

SHA1
9b5ad7321fa5e1130c8f30ca2878935ac560060c

SHA256
33e0224f0ce36d79be8572eb5f94ef2fc435049e7d5a65719e9cf64000447021

SHA512
892d821344009e1f7bee705cc08af3389f3d9ed94bfe3b23d13ceb646c23f9510cfa938b3757c1451af4d70267f4bbc5324d450b9e33f05725e075cf0774cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkqbnrao.imo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c389029c-c1e6-48cb-9b37-63c462f24822.vbs

Filesize
692B

MD5
ce8a8bb38431bd3d8b478b57ce7e1c1a

SHA1
44ff2c4f74be84802e85c10e8610ee80a96ae78d

SHA256
c4b66320f4fc487c75344227042d4ff0699e201f6a5b300469b66dbfa90c1837

SHA512
c71ce4bee5f8e52c09e348a15f50d19aceb2dca0cfba1849f6a69dd36dd3fa436043bcf9f71c8f00e35d12be1dc79351e617fa5ec0903fc83d928539750a1d50

Download Submit
C:\odt\lsass.exe

Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
C:\odt\lsass.exe

Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
C:\odt\lsass.exe

Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
memory/488-361-0x0000015899490000-0x00000158994A0000-memory.dmp

Filesize
64KB

Download
memory/488-360-0x0000015899490000-0x00000158994A0000-memory.dmp

Filesize
64KB

Download
memory/632-407-0x00000285854F0000-0x0000028585500000-memory.dmp

Filesize
64KB

Download
memory/632-444-0x00000285854F0000-0x0000028585500000-memory.dmp

Filesize
64KB

Download
memory/1120-489-0x0000026EC6220000-0x0000026EC6230000-memory.dmp

Filesize
64KB

Download
memory/1120-475-0x0000026EC6220000-0x0000026EC6230000-memory.dmp

Filesize
64KB

Download
memory/2040-494-0x000001B94EC40000-0x000001B94EC50000-memory.dmp

Filesize
64KB

Download
memory/2312-523-0x000001B579D30000-0x000001B579D40000-memory.dmp

Filesize
64KB

Download
memory/2312-496-0x000001B579D30000-0x000001B579D40000-memory.dmp

Filesize
64KB

Download
memory/2312-513-0x000001B579D30000-0x000001B579D40000-memory.dmp

Filesize
64KB

Download
memory/2312-515-0x000001B579D30000-0x000001B579D40000-memory.dmp

Filesize
64KB

Download
memory/2352-495-0x000001851D4B0000-0x000001851D4C0000-memory.dmp

Filesize
64KB

Download
memory/2352-511-0x000001851D4B0000-0x000001851D4C0000-memory.dmp

Filesize
64KB

Download
memory/2352-514-0x000001851D4B0000-0x000001851D4C0000-memory.dmp

Filesize
64KB

Download
memory/2352-493-0x000001851D4B0000-0x000001851D4C0000-memory.dmp

Filesize
64KB

Download
memory/2636-364-0x0000017AEA390000-0x0000017AEA3A0000-memory.dmp

Filesize
64KB

Download
memory/2808-509-0x0000000000680000-0x0000000000846000-memory.dmp

Filesize
1.8MB

Download
memory/3508-521-0x00000247C79F0000-0x00000247C7A00000-memory.dmp

Filesize
64KB

Download
memory/3844-464-0x000001F6DA510000-0x000001F6DA520000-memory.dmp

Filesize
64KB

Download
memory/3844-517-0x000001F6DA510000-0x000001F6DA520000-memory.dmp

Filesize
64KB

Download
memory/3844-371-0x000001F6DAE40000-0x000001F6DAE62000-memory.dmp

Filesize
136KB

Download
memory/4812-159-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4812-160-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4812-161-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4812-203-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4812-147-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4812-146-0x0000000002B00000-0x0000000002B50000-memory.dmp

Filesize
320KB

Download
memory/4812-238-0x000000001C340000-0x000000001C440000-memory.dmp

Filesize
1024KB

Download
memory/4812-510-0x000000001C347000-0x000000001C34A000-memory.dmp

Filesize
12KB

Download
memory/4812-383-0x000000001C340000-0x000000001C440000-memory.dmp

Filesize
1024KB

Download
memory/4812-145-0x0000000000580000-0x0000000000746000-memory.dmp

Filesize
1.8MB

Download
memory/4848-387-0x000001CA593D0000-0x000001CA593E0000-memory.dmp

Filesize
64KB

Download
memory/4848-406-0x000001CA593D0000-0x000001CA593E0000-memory.dmp

Filesize
64KB

Download
memory/4848-512-0x000001CA593D0000-0x000001CA593E0000-memory.dmp

Filesize
64KB

Download
memory/4856-365-0x000001DBFB360000-0x000001DBFB370000-memory.dmp

Filesize
64KB

Download
memory/4856-376-0x000001DBFB360000-0x000001DBFB370000-memory.dmp

Filesize
64KB

Download
memory/4856-520-0x000001DBFB360000-0x000001DBFB370000-memory.dmp

Filesize
64KB

Download
memory/4908-363-0x00000264F9180000-0x00000264F9190000-memory.dmp

Filesize
64KB

Download
memory/4908-362-0x00000264F9180000-0x00000264F9190000-memory.dmp

Filesize
64KB

Download
memory/4908-519-0x00000264F9180000-0x00000264F9190000-memory.dmp

Filesize
64KB

Download
memory/4976-522-0x0000015FAC050000-0x0000015FAC060000-memory.dmp

Filesize
64KB

Download
memory/4976-497-0x0000015FAC050000-0x0000015FAC060000-memory.dmp

Filesize
64KB

Download
memory/4976-518-0x0000015FAC050000-0x0000015FAC060000-memory.dmp

Filesize
64KB

Download
memory/4976-516-0x0000015FAC050000-0x0000015FAC060000-memory.dmp

Filesize
64KB

Download