dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
126s
max time network
159s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	3700	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3700	schtasks.exe	74

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af3e-11.dat	dcrat
behavioral2/files/0x000800000001af3e-14.dat	dcrat
behavioral2/files/0x000700000001afa3-28.dat	dcrat
behavioral2/files/0x000700000001afa3-29.dat	dcrat
behavioral2/memory/4340-30-0x0000000000F20000-0x00000000010A0000-memory.dmp	dcrat
behavioral2/files/0x000600000001afa8-48.dat	dcrat
behavioral2/files/0x000600000001afb4-431.dat	dcrat
behavioral2/files/0x000600000001afb4-430.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4324	Loader.exe
4340	MsServerfont.exe
2588	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
796	YammiBeta.exe
796	YammiBeta.exe
796	YammiBeta.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\Idle.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f	MsServerfont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\MsServerfont.exe	MsServerfont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\3416ca5bd162c5	MsServerfont.exe
File created	C:\Program Files\Windows Portable Devices\unsecapp.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\6ccacd8608530f	MsServerfont.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe	MsServerfont.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	MsServerfont.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	MsServerfont.exe
File created	C:\Program Files\Windows Portable Devices\29c1c3cc0f7685	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f	MsServerfont.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	MsServerfont.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	MsServerfont.exe
File created	C:\Windows\debug\smss.exe	MsServerfont.exe
File created	C:\Windows\debug\69ddcba757bf72	MsServerfont.exe
File created	C:\Windows\PrintDialog\Assets\MsServerfont.exe	MsServerfont.exe
File opened for modification	C:\Windows\PrintDialog\Assets\MsServerfont.exe	MsServerfont.exe
File created	C:\Windows\PrintDialog\Assets\3416ca5bd162c5	MsServerfont.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\AppxMetadata\System.exe	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1396	schtasks.exe
1056	schtasks.exe
196	schtasks.exe
2568	schtasks.exe
3232	schtasks.exe
2640	schtasks.exe
3844	schtasks.exe
1548	schtasks.exe
2580	schtasks.exe
2372	schtasks.exe
4468	schtasks.exe
4852	schtasks.exe
4828	schtasks.exe
3744	schtasks.exe
656	schtasks.exe
4380	schtasks.exe
4864	schtasks.exe
4208	schtasks.exe
3792	schtasks.exe
2252	schtasks.exe
2056	schtasks.exe
2096	schtasks.exe
3552	schtasks.exe
5108	schtasks.exe
5008	schtasks.exe
4924	schtasks.exe
1364	schtasks.exe
292	schtasks.exe
2528	schtasks.exe
4964	schtasks.exe
2600	schtasks.exe
1236	schtasks.exe
2788	schtasks.exe
3400	schtasks.exe
4400	schtasks.exe
816	schtasks.exe
2080	schtasks.exe
3720	schtasks.exe
1932	schtasks.exe
4532	schtasks.exe
4120	schtasks.exe
3676	schtasks.exe
2648	schtasks.exe
2740	schtasks.exe
4416	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	MsServerfont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4340	MsServerfont.exe
4300	powershell.exe
4300	powershell.exe
2524	powershell.exe
2524	powershell.exe
4848	powershell.exe
4848	powershell.exe
3716	powershell.exe
3716	powershell.exe
3372	powershell.exe
3372	powershell.exe
312	powershell.exe
312	powershell.exe
1020	powershell.exe
1020	powershell.exe
4216	powershell.exe
4216	powershell.exe
4796	powershell.exe
4796	powershell.exe
3972	powershell.exe
3972	powershell.exe
4196	powershell.exe
4196	powershell.exe
4784	powershell.exe
4784	powershell.exe
4796	powershell.exe
4300	powershell.exe
2524	powershell.exe
4848	powershell.exe
3372	powershell.exe
4196	powershell.exe
3716	powershell.exe
312	powershell.exe
1020	powershell.exe
4216	powershell.exe
3972	powershell.exe
4784	powershell.exe
4300	powershell.exe
4196	powershell.exe
4848	powershell.exe
3372	powershell.exe
4216	powershell.exe
4796	powershell.exe
3716	powershell.exe
3716	powershell.exe
2524	powershell.exe
2524	powershell.exe
3972	powershell.exe
1020	powershell.exe
4784	powershell.exe
312	powershell.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	YammiBeta.exe
Token: SeDebugPrivilege	4340	MsServerfont.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	2588	explorer.exe
Token: SeIncreaseQuotaPrivilege	4300	powershell.exe
Token: SeSecurityPrivilege	4300	powershell.exe
Token: SeTakeOwnershipPrivilege	4300	powershell.exe
Token: SeLoadDriverPrivilege	4300	powershell.exe
Token: SeSystemProfilePrivilege	4300	powershell.exe
Token: SeSystemtimePrivilege	4300	powershell.exe
Token: SeProfSingleProcessPrivilege	4300	powershell.exe
Token: SeIncBasePriorityPrivilege	4300	powershell.exe
Token: SeCreatePagefilePrivilege	4300	powershell.exe
Token: SeBackupPrivilege	4300	powershell.exe
Token: SeRestorePrivilege	4300	powershell.exe
Token: SeShutdownPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeSystemEnvironmentPrivilege	4300	powershell.exe
Token: SeRemoteShutdownPrivilege	4300	powershell.exe
Token: SeUndockPrivilege	4300	powershell.exe
Token: SeManageVolumePrivilege	4300	powershell.exe
Token: 33	4300	powershell.exe
Token: 34	4300	powershell.exe
Token: 35	4300	powershell.exe
Token: 36	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe
Token: 33	4196	powershell.exe
Token: 34	4196	powershell.exe
Token: 35	4196	powershell.exe
Token: 36	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
796	YammiBeta.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 4324	796	YammiBeta.exe	69
PID 796 wrote to memory of 4324	796	YammiBeta.exe	69
PID 796 wrote to memory of 4324	796	YammiBeta.exe	69
PID 4324 wrote to memory of 3156	4324	Loader.exe	70
PID 4324 wrote to memory of 3156	4324	Loader.exe	70
PID 4324 wrote to memory of 3156	4324	Loader.exe	70
PID 3156 wrote to memory of 4060	3156	WScript.exe	71
PID 3156 wrote to memory of 4060	3156	WScript.exe	71
PID 3156 wrote to memory of 4060	3156	WScript.exe	71
PID 4060 wrote to memory of 4340	4060	cmd.exe	73
PID 4060 wrote to memory of 4340	4060	cmd.exe	73
PID 4340 wrote to memory of 4300	4340	MsServerfont.exe	120
PID 4340 wrote to memory of 4300	4340	MsServerfont.exe	120
PID 4340 wrote to memory of 3972	4340	MsServerfont.exe	121
PID 4340 wrote to memory of 3972	4340	MsServerfont.exe	121
PID 4340 wrote to memory of 1020	4340	MsServerfont.exe	122
PID 4340 wrote to memory of 1020	4340	MsServerfont.exe	122
PID 4340 wrote to memory of 3372	4340	MsServerfont.exe	123
PID 4340 wrote to memory of 3372	4340	MsServerfont.exe	123
PID 4340 wrote to memory of 2524	4340	MsServerfont.exe	124
PID 4340 wrote to memory of 2524	4340	MsServerfont.exe	124
PID 4340 wrote to memory of 312	4340	MsServerfont.exe	125
PID 4340 wrote to memory of 312	4340	MsServerfont.exe	125
PID 4340 wrote to memory of 4196	4340	MsServerfont.exe	126
PID 4340 wrote to memory of 4196	4340	MsServerfont.exe	126
PID 4340 wrote to memory of 4796	4340	MsServerfont.exe	127
PID 4340 wrote to memory of 4796	4340	MsServerfont.exe	127
PID 4340 wrote to memory of 4784	4340	MsServerfont.exe	128
PID 4340 wrote to memory of 4784	4340	MsServerfont.exe	128
PID 4340 wrote to memory of 4216	4340	MsServerfont.exe	129
PID 4340 wrote to memory of 4216	4340	MsServerfont.exe	129
PID 4340 wrote to memory of 3716	4340	MsServerfont.exe	130
PID 4340 wrote to memory of 3716	4340	MsServerfont.exe	130
PID 4340 wrote to memory of 4848	4340	MsServerfont.exe	145
PID 4340 wrote to memory of 4848	4340	MsServerfont.exe	145
PID 4340 wrote to memory of 1484	4340	MsServerfont.exe	141
PID 4340 wrote to memory of 1484	4340	MsServerfont.exe	141
PID 1484 wrote to memory of 2600	1484	cmd.exe	146
PID 1484 wrote to memory of 2600	1484	cmd.exe	146
PID 1484 wrote to memory of 2588	1484	cmd.exe	147
PID 1484 wrote to memory of 2588	1484	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4UbXHEAOsu.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2600
        
        C:\odt\explorer.exe
        
        "C:\odt\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\Assets\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 5 /tr "'C:\odt\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 11 /tr "'C:\odt\InstallAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\odt\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\odt\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cc6e6c6822654a4bdf41d2b9f2624a9

SHA1
89787ae7ec622d50ad453b1f3ddd9ba18256b0c0

SHA256
e359d2374fbc29c0a193eefa365a5bf98465d3c7844880f7546d1e4fe8c37f36

SHA512
219aed3f854509008b534bc4b650d88f04e3177dc7563a10df5d850ad958fa88f43841547a6c9e896fb84b1314f62df8c861e7864c1dfe84da297f66214dae7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cc6e6c6822654a4bdf41d2b9f2624a9

SHA1
89787ae7ec622d50ad453b1f3ddd9ba18256b0c0

SHA256
e359d2374fbc29c0a193eefa365a5bf98465d3c7844880f7546d1e4fe8c37f36

SHA512
219aed3f854509008b534bc4b650d88f04e3177dc7563a10df5d850ad958fa88f43841547a6c9e896fb84b1314f62df8c861e7864c1dfe84da297f66214dae7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbce1d5091a7470d6737131b8905f2cb

SHA1
de11d4a99ebe5674ca657e6fb71c00b7b50305aa

SHA256
98cc72c5484f44edd38df79256eed9a3592ac21220b4a2ed00b5b3e8bdcce600

SHA512
664b438488c9f874711d23def12c373c331f57f360990e5e5a8e6921c7ba4571fa33128da4ab5491c320a81a9d8ffc8c65d4429ee2820ce8327a08686a837079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0083ccb0a307307734086cc129af757

SHA1
759901f32bdb34bdae8f38cec1db2187ab4f70bc

SHA256
57566b641e995b015e2152f5f92fe1ec7c3547defec357cabc21e6f39b46ee5f

SHA512
5d2ce4e079126559e02b251c415fa43a0a04426ec65313bd2e881af0a63bb630d0b3357ff0aeffdd99b668a12c48ead8276667bf614301247accbb4b68089268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60baf1762255bc6ebcb02454f220cfb0

SHA1
15bd6ddcd4efa37d40fa7719920b1705b921eed4

SHA256
5e037ab4e8962a2d1610b63d2f7d4cd8465f471db2e7a67efc02a11d4e0deb69

SHA512
64d655c522bc6e4f1d9333457a518352f5d02be027d6a3784875327e601b3e3213a155963291c7c53dcf2429ee9385d82ff12fa9a5379f7324f39c9048a8893e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4623e2ea90b4125e946b6dbe8da7f63

SHA1
4e5003577d4f92b1fce1cf533af4bd3b3a163714

SHA256
59f26c9bd1e36c48652eeec7c1a171fca393f7bcb642382fadef53c61f3405da

SHA512
f38dd7dffd3c83b704320210894b9dbb69f0337842ba38b975418a8380b5e712eac49bf26abcb7a2a5e4d957d1ab369ec902779c173b9e341cd50add04aaec68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
127571cc5474cdb3127e9d14851186a0

SHA1
8882ac15180a217f83997709e6b3f8dbb5cfd7d6

SHA256
de3a374b680b57e74c969daf755d64d506382151697d3181a2ce8692064c9aba

SHA512
59a2718599a9cf419f8c1abc1c838b5cca7c5437a3e31dc2f7acc3d43deb41b3688cb161a4d4d7522ceb4c0881453302dcb17236636d44e23615248db9cab7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bdb5eb8a8a7c50000df57ec1910326c

SHA1
848d1bbf96c326495bd0512ad7b72c3a69cd75ae

SHA256
3711f1214121f22d0930555a479a33b5615abc8cc284e4f6ffc2051efea880fa

SHA512
99b8ce5d62f96f12b33907dd8999659bf0f7d3fba68edb95195c85d8cf6e87d86e8f3da8450e54cef07230b0b0ebf6619b578e7ba669ccf30569c0943e6902d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16148dc78651d7328fb222d07a2a5acf

SHA1
4b7a809af10e6622fb7638a3fc7d13c2a8efd59b

SHA256
5d12e42317420ed4c638f78296a982f248c8ee2fd01fe8b6b92586f68237e8cf

SHA512
c7fa1cb66e7010537efc1a6d7918cbf32966fb725556750e5a8f7974760b88c1ba4b52507856c05e60d32da659e0472cac99009a3874d9e6eba44393a2a9c322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17adad1df8e09bf9c32c9cc2c7778cdf

SHA1
261806f19477afeb0123a7ebc731d15a5ff37e07

SHA256
655d1aa59391baa005b0497d3ad55e0da27240bf9b715b8c6accc2ac7644c307

SHA512
7d208dc576cbb555038d921ba45bf781ef3abbbcfb475f52eeee61f1f728d23f387544d206a73bc8f6b28396925bb10afe88a37f8e468625bba30a41b3989afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2edde89099f9e43ce9f8a0c837c5431b

SHA1
a53d5fd870d41ef8fa18322a76c0d65da85b700b

SHA256
aa68951d8af56695ff7f0707919a2eff9cf8be3cf13bf485a6c0d632995d3404

SHA512
4654ebbacc00c005590dcc36bcf6f1d4c766ab41ec9cae71359ce6e4122ba2df43d3cc0a3c60d3a6acc60ee38dc75fdc965301749eada18eca5ad6ce488606f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4UbXHEAOsu.bat

Filesize
184B

MD5
6fa20bb3658618ddcd3d117fd474ff42

SHA1
b1b7a6fbe0299590ab7531f1ed59110a9f179e5d

SHA256
9f9542e12ab54a62f47da9b7e265857dbc148d964b6155456fd2918cd8e5a524

SHA512
ec03ed3e64fc4b266bcf02f9c0d7b1036e964133d12c9f0fa4bdc397888d9666f654ce0e8180c65a1897da3b37fc9d9bcc2f7f4bd6a72d020f761a36f594c8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xk31i0h5.jr2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\odt\explorer.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\odt\explorer.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/312-135-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/312-150-0x000002114D9E0000-0x000002114D9F0000-memory.dmp

Filesize
64KB

Download
memory/312-148-0x000002114D9E0000-0x000002114D9F0000-memory.dmp

Filesize
64KB

Download
memory/796-25-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/796-4-0x0000000000FE0000-0x000000000135E000-memory.dmp

Filesize
3.5MB

Download
memory/796-33-0x0000000000FE0000-0x000000000135E000-memory.dmp

Filesize
3.5MB

Download
memory/796-1-0x0000000000FE0000-0x000000000135E000-memory.dmp

Filesize
3.5MB

Download
memory/796-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/796-24-0x0000000006A00000-0x0000000006EFE000-memory.dmp

Filesize
5.0MB

Download
memory/796-7-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/796-0-0x0000000000FE0000-0x000000000135E000-memory.dmp

Filesize
3.5MB

Download
memory/796-3-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/796-36-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/796-5-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1020-134-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-151-0x0000020374B40000-0x0000020374B50000-memory.dmp

Filesize
64KB

Download
memory/1020-149-0x0000020374B40000-0x0000020374B50000-memory.dmp

Filesize
64KB

Download
memory/2524-196-0x0000026670B90000-0x0000026670BA0000-memory.dmp

Filesize
64KB

Download
memory/2524-86-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/3372-188-0x00000283ED4A0000-0x00000283ED4B0000-memory.dmp

Filesize
64KB

Download
memory/3372-128-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/3372-350-0x00000283ED4A0000-0x00000283ED4B0000-memory.dmp

Filesize
64KB

Download
memory/3372-147-0x00000283ED4A0000-0x00000283ED4B0000-memory.dmp

Filesize
64KB

Download
memory/3716-140-0x00000150BA890000-0x00000150BA8A0000-memory.dmp

Filesize
64KB

Download
memory/3716-192-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/3972-141-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/3972-157-0x0000028572C10000-0x0000028572C20000-memory.dmp

Filesize
64KB

Download
memory/3972-162-0x0000028572C10000-0x0000028572C20000-memory.dmp

Filesize
64KB

Download
memory/4196-176-0x00000256F1430000-0x00000256F1440000-memory.dmp

Filesize
64KB

Download
memory/4196-312-0x00000256F1430000-0x00000256F1440000-memory.dmp

Filesize
64KB

Download
memory/4196-143-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4196-199-0x00000256F1430000-0x00000256F1440000-memory.dmp

Filesize
64KB

Download
memory/4216-198-0x0000020764800000-0x0000020764810000-memory.dmp

Filesize
64KB

Download
memory/4216-195-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4216-190-0x0000020764800000-0x0000020764810000-memory.dmp

Filesize
64KB

Download
memory/4300-139-0x0000025D89B80000-0x0000025D89B90000-memory.dmp

Filesize
64KB

Download
memory/4300-94-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4300-171-0x0000025DA3C30000-0x0000025DA3CA6000-memory.dmp

Filesize
472KB

Download
memory/4300-240-0x0000025D89B80000-0x0000025D89B90000-memory.dmp

Filesize
64KB

Download
memory/4300-138-0x0000025D89B80000-0x0000025D89B90000-memory.dmp

Filesize
64KB

Download
memory/4340-40-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/4340-38-0x000000001C220000-0x000000001C270000-memory.dmp

Filesize
320KB

Download
memory/4340-37-0x0000000003200000-0x000000000321C000-memory.dmp

Filesize
112KB

Download
memory/4340-44-0x000000001C200000-0x000000001C20A000-memory.dmp

Filesize
40KB

Download
memory/4340-39-0x000000001BC60000-0x000000001BC76000-memory.dmp

Filesize
88KB

Download
memory/4340-41-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

Filesize
48KB

Download
memory/4340-35-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/4340-34-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4340-43-0x000000001C1F0000-0x000000001C1FE000-memory.dmp

Filesize
56KB

Download
memory/4340-130-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4340-42-0x000000001C1E0000-0x000000001C1EE000-memory.dmp

Filesize
56KB

Download
memory/4340-30-0x0000000000F20000-0x00000000010A0000-memory.dmp

Filesize
1.5MB

Download
memory/4340-45-0x000000001C210000-0x000000001C21C000-memory.dmp

Filesize
48KB

Download
memory/4784-144-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4784-170-0x0000021736A40000-0x0000021736A50000-memory.dmp

Filesize
64KB

Download
memory/4784-179-0x0000021736A40000-0x0000021736A50000-memory.dmp

Filesize
64KB

Download
memory/4796-152-0x0000019A76090000-0x0000019A760A0000-memory.dmp

Filesize
64KB

Download
memory/4796-137-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-155-0x0000019A76090000-0x0000019A760A0000-memory.dmp

Filesize
64KB

Download
memory/4796-136-0x0000019A761A0000-0x0000019A761C2000-memory.dmp

Filesize
136KB

Download
memory/4848-113-0x00007FFFAC3F0000-0x00007FFFACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/4848-322-0x0000021750490000-0x00000217504A0000-memory.dmp

Filesize
64KB

Download
memory/4848-146-0x0000021750490000-0x00000217504A0000-memory.dmp

Filesize
64KB

Download
memory/4848-145-0x0000021750490000-0x00000217504A0000-memory.dmp

Filesize
64KB

Download