dcrat | 51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

Analysis

max time kernel
130s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

devalt.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3536	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3536	schtasks.exe	39

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000023206-143.dat	dcrat
behavioral2/files/0x0006000000023206-144.dat	dcrat
behavioral2/memory/3976-145-0x0000000000700000-0x00000000008C0000-memory.dmp	dcrat
behavioral2/files/0x000600000002320b-154.dat	dcrat
behavioral2/files/0x0008000000023248-217.dat	dcrat
behavioral2/files/0x0009000000023248-232.dat	dcrat
behavioral2/files/0x000900000002320e-256.dat	dcrat
behavioral2/files/0x000700000002322e-373.dat	dcrat
behavioral2/memory/3976-390-0x000000001CCF0000-0x000000001CDF0000-memory.dmp	dcrat
behavioral2/files/0x000c000000023231-408.dat	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

devalt.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	devalt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

SurrogateDll.exe

pid	Process
3976	SurrogateDll.exe

Drops file in Program Files directory 20 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\csrss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXDE6F.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXDE8F.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\System.exe	SurrogateDll.exe
File created	C:\Program Files\Common Files\DESIGNER\System.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\886983d96e3d3e	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXCD0B.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXCD5A.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXD3D8.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCXE2C8.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCXE337.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe	SurrogateDll.exe
File created	C:\Program Files\Common Files\DESIGNER\27d1bcfc3c54e0	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXD465.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\csrss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\24dbde2999530e	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ea9f0e6c9e2dcd	SurrogateDll.exe

Drops file in Windows directory 5 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\ja-JP\RCXBFC4.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\ja-JP\dllhost.exe	SurrogateDll.exe
File created	C:\Windows\ja-JP\dllhost.exe	SurrogateDll.exe
File created	C:\Windows\ja-JP\5940a34987c991	SurrogateDll.exe
File opened for modification	C:\Windows\ja-JP\RCXBFB3.tmp	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4496	3976	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
3904	schtasks.exe
4664	schtasks.exe
4472	schtasks.exe
772	schtasks.exe
2640	schtasks.exe
2368	schtasks.exe
4624	schtasks.exe
4584	schtasks.exe
5064	schtasks.exe
3468	schtasks.exe
1516	schtasks.exe
372	schtasks.exe
1756	schtasks.exe
3416	schtasks.exe
4668	schtasks.exe
4340	schtasks.exe
396	schtasks.exe
2284	schtasks.exe
2332	schtasks.exe
3340	schtasks.exe
2252	schtasks.exe
3608	schtasks.exe
3188	schtasks.exe
4812	schtasks.exe
4652	schtasks.exe
3784	schtasks.exe
4348	schtasks.exe
4756	schtasks.exe
2676	schtasks.exe
2500	schtasks.exe
5056	schtasks.exe
4616	schtasks.exe
5040	schtasks.exe
4976	schtasks.exe
1932	schtasks.exe
752	schtasks.exe
4904	schtasks.exe
1984	schtasks.exe
4304	schtasks.exe
4712	schtasks.exe
908	schtasks.exe
2872	schtasks.exe
4932	schtasks.exe
2392	schtasks.exe
2280	schtasks.exe
4016	schtasks.exe
1508	schtasks.exe
4288	schtasks.exe
2700	schtasks.exe
1568	schtasks.exe
1564	schtasks.exe
1996	schtasks.exe
472	schtasks.exe
972	schtasks.exe
4980	schtasks.exe
1224	schtasks.exe
4396	schtasks.exe

Modifies registry class 1 IoCs

Processes:

devalt.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings	devalt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exe

pid	Process
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe
3976	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3976	SurrogateDll.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

devalt.exeWScript.execmd.exeSurrogateDll.exe

description	pid	Process	procid_target
PID 3740 wrote to memory of 2848	3740	devalt.exe	85
PID 3740 wrote to memory of 2848	3740	devalt.exe	85
PID 3740 wrote to memory of 2848	3740	devalt.exe	85
PID 2848 wrote to memory of 1280	2848	WScript.exe	86
PID 2848 wrote to memory of 1280	2848	WScript.exe	86
PID 2848 wrote to memory of 1280	2848	WScript.exe	86
PID 1280 wrote to memory of 3976	1280	cmd.exe	88
PID 1280 wrote to memory of 3976	1280	cmd.exe	88
PID 3976 wrote to memory of 3136	3976	SurrogateDll.exe	148
PID 3976 wrote to memory of 3136	3976	SurrogateDll.exe	148
PID 3976 wrote to memory of 2204	3976	SurrogateDll.exe	151
PID 3976 wrote to memory of 2204	3976	SurrogateDll.exe	151
PID 3976 wrote to memory of 3828	3976	SurrogateDll.exe	150
PID 3976 wrote to memory of 3828	3976	SurrogateDll.exe	150
PID 3976 wrote to memory of 1056	3976	SurrogateDll.exe	152
PID 3976 wrote to memory of 1056	3976	SurrogateDll.exe	152
PID 3976 wrote to memory of 4712	3976	SurrogateDll.exe	165
PID 3976 wrote to memory of 4712	3976	SurrogateDll.exe	165
PID 3976 wrote to memory of 884	3976	SurrogateDll.exe	163
PID 3976 wrote to memory of 884	3976	SurrogateDll.exe	163
PID 3976 wrote to memory of 3628	3976	SurrogateDll.exe	162
PID 3976 wrote to memory of 3628	3976	SurrogateDll.exe	162
PID 3976 wrote to memory of 1564	3976	SurrogateDll.exe	161
PID 3976 wrote to memory of 1564	3976	SurrogateDll.exe	161
PID 3976 wrote to memory of 1568	3976	SurrogateDll.exe	153
PID 3976 wrote to memory of 1568	3976	SurrogateDll.exe	153
PID 3976 wrote to memory of 3152	3976	SurrogateDll.exe	160
PID 3976 wrote to memory of 3152	3976	SurrogateDll.exe	160
PID 3976 wrote to memory of 460	3976	SurrogateDll.exe	170
PID 3976 wrote to memory of 460	3976	SurrogateDll.exe	170
PID 3976 wrote to memory of 3104	3976	SurrogateDll.exe	169
PID 3976 wrote to memory of 3104	3976	SurrogateDll.exe	169
PID 3976 wrote to memory of 3008	3976	SurrogateDll.exe	167
PID 3976 wrote to memory of 3008	3976	SurrogateDll.exe	167

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\devalt.exe
"C:\Users\Admin\AppData\Local\Temp\devalt.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3976 -s 1512
        5⤵
        Program crash
        
        PID:4496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\AppData\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\DESIGNER\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3976 -ip 3976
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DESIGNER\RCXE2C8.tmp

Filesize
1.7MB

MD5
8b7d1373a3c2a7e0454b26ba186f1d2d

SHA1
5e46f5c8c13477d50d41ecf31447505cbde56eed

SHA256
3f05587a41f979070b923059b7c83c5ca7a6f869e7715c253befb41fe8f51fb9

SHA512
fa4d54cd15833c21e7cfcaf2ff053fbb17234dcdd35287a4bc292c61ad38ccdc94ab52909ea9ce2c3f83692cad2d37067d835aea875ac5534955373cae3a3c0a

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.7MB

MD5
8ff8fdaba5354ecbab06744199c821ca

SHA1
7d43160a6cd6c6ad8edfcba3794b3f56ff27fd34

SHA256
f97103ce2d00f3e3cab554cc0c8717ef6e09e54692702c7aff27b4b1dfcabff4

SHA512
df4fb12ba00a6888bbc697d8ada140d1e5303ee91669432e2078b71283894d5557b29f8871a4f8f0b46ece24444baa8d665ee877dee4d6e4eee3e523319519ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y45tpfju.lga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\Documents\dllhost.exe

Filesize
1.7MB

MD5
83b70659f140995c29d71c22db918ceb

SHA1
7d120fecaddcd9d1837f5931079eb050c91bfca8

SHA256
d1f77349f39e67ddbc459964d1effa8cc5dd63ee1b1c7f45b8eae537303d963f

SHA512
93a42fdf87c7e1c46b4d3597e3b8f1f5e3b67a24567b366e0cea6e9806b776ce320d4d13028f12388ad6bed5b5b9ae5134b7da7e52cb703d8c35facc3233fcaf

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\RCXBA51.tmp

Filesize
1.7MB

MD5
7b4c52ffeb62388ae9e4174771f90bd4

SHA1
282d38d6a974055e24c27190d22331ebc9643b45

SHA256
4838b46a55389d775b77ec76898d4520cb420fa74a1a8a964a5375af51b53d8c

SHA512
8189bb7627909c9c2fc0ce79d6c0dca41777c50637e30e194dbe5699e514799877a3dd09bb0ceeb717401d2ecda3a93ba39d8d9d3c4ed15c1ef11c02b6f47ea1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
C:\agentBrowsersavesRefBroker\winlogon.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
cd9ee3501b175e939b2dee42d44aff05

SHA1
1a5d80a2fb0c02411783d4890ebf0cb723ff36c1

SHA256
c0157186a98fb1d5325e68d210b7e953e33b39e2a3343f629bca4f24f2fcd8d5

SHA512
4442282f560f45221f8ccaffb40f132867d4525d70d58f097c32f26967539737bddef347af1fc04c509f84d856ffdc4150b04175a86b98ae7b2e7f5618a2fc21

Download Submit
memory/460-562-0x000001A77BE00000-0x000001A77BE10000-memory.dmp

Filesize
64KB

Download
memory/460-572-0x000001A77BE00000-0x000001A77BE10000-memory.dmp

Filesize
64KB

Download
memory/884-549-0x0000014E316A0000-0x0000014E316B0000-memory.dmp

Filesize
64KB

Download
memory/884-550-0x0000014E316A0000-0x0000014E316B0000-memory.dmp

Filesize
64KB

Download
memory/884-564-0x0000014E316A0000-0x0000014E316B0000-memory.dmp

Filesize
64KB

Download
memory/884-571-0x0000014E316A0000-0x0000014E316B0000-memory.dmp

Filesize
64KB

Download
memory/1056-560-0x0000014D6A890000-0x0000014D6A8A0000-memory.dmp

Filesize
64KB

Download
memory/1564-516-0x00000163EB9B0000-0x00000163EB9C0000-memory.dmp

Filesize
64KB

Download
memory/1564-475-0x00000163EB9B0000-0x00000163EB9C0000-memory.dmp

Filesize
64KB

Download
memory/1564-574-0x00000163EB9B0000-0x00000163EB9C0000-memory.dmp

Filesize
64KB

Download
memory/1568-567-0x0000015571C10000-0x0000015571C20000-memory.dmp

Filesize
64KB

Download
memory/1568-544-0x0000015571C10000-0x0000015571C20000-memory.dmp

Filesize
64KB

Download
memory/3008-576-0x000002880B8F0000-0x000002880B900000-memory.dmp

Filesize
64KB

Download
memory/3008-570-0x000002880B8F0000-0x000002880B900000-memory.dmp

Filesize
64KB

Download
memory/3104-563-0x000001DD37400000-0x000001DD37410000-memory.dmp

Filesize
64KB

Download
memory/3136-462-0x000002B286EA0000-0x000002B286EB0000-memory.dmp

Filesize
64KB

Download
memory/3136-565-0x000002B286EA0000-0x000002B286EB0000-memory.dmp

Filesize
64KB

Download
memory/3136-457-0x000002B286EA0000-0x000002B286EB0000-memory.dmp

Filesize
64KB

Download
memory/3136-432-0x000002B286E40000-0x000002B286E62000-memory.dmp

Filesize
136KB

Download
memory/3136-573-0x000002B286EA0000-0x000002B286EB0000-memory.dmp

Filesize
64KB

Download
memory/3152-561-0x0000023FBD1C0000-0x0000023FBD1D0000-memory.dmp

Filesize
64KB

Download
memory/3152-577-0x0000023FBD1C0000-0x0000023FBD1D0000-memory.dmp

Filesize
64KB

Download
memory/3628-494-0x00000208E2450000-0x00000208E2460000-memory.dmp

Filesize
64KB

Download
memory/3628-575-0x00000208E2450000-0x00000208E2460000-memory.dmp

Filesize
64KB

Download
memory/3628-568-0x00000208E2450000-0x00000208E2460000-memory.dmp

Filesize
64KB

Download
memory/3828-569-0x000001DEDBC30000-0x000001DEDBC40000-memory.dmp

Filesize
64KB

Download
memory/3828-531-0x000001DEDBC30000-0x000001DEDBC40000-memory.dmp

Filesize
64KB

Download
memory/3976-318-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-267-0x000000001CCF0000-0x000000001CDF0000-memory.dmp

Filesize
1024KB

Download
memory/3976-415-0x000000001CCF0000-0x000000001CDF0000-memory.dmp

Filesize
1024KB

Download
memory/3976-390-0x000000001CCF0000-0x000000001CDF0000-memory.dmp

Filesize
1024KB

Download
memory/3976-145-0x0000000000700000-0x00000000008C0000-memory.dmp

Filesize
1.8MB

Download
memory/3976-372-0x000000001CCF0000-0x000000001CDF0000-memory.dmp

Filesize
1024KB

Download
memory/3976-338-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-337-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-146-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-317-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-292-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-147-0x000000001BB40000-0x000000001BB90000-memory.dmp

Filesize
320KB

Download
memory/3976-255-0x000000001CCF0000-0x000000001CDF0000-memory.dmp

Filesize
1024KB

Download
memory/3976-163-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-162-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-153-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-152-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Filesize
64KB

Download
memory/3976-149-0x000000001C0C0000-0x000000001C5E8000-memory.dmp

Filesize
5.2MB

Download
memory/4712-446-0x000001BCFFA40000-0x000001BCFFA50000-memory.dmp

Filesize
64KB

Download
memory/4712-566-0x000001BCFFA40000-0x000001BCFFA50000-memory.dmp

Filesize
64KB

Download
memory/4712-456-0x000001BCFFA40000-0x000001BCFFA50000-memory.dmp

Filesize
64KB

Download