dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
351s
max time network
405s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3624	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3624	schtasks.exe	85

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0006000000023209-13.dat	dcrat
behavioral3/files/0x0006000000023209-15.dat	dcrat
behavioral3/files/0x0006000000023209-16.dat	dcrat
behavioral3/files/0x0006000000023210-31.dat	dcrat
behavioral3/files/0x0006000000023210-32.dat	dcrat
behavioral3/memory/4176-35-0x00000000000A0000-0x0000000000220000-memory.dmp	dcrat
behavioral3/files/0x0006000000023217-42.dat	dcrat
behavioral3/files/0x0006000000023222-274.dat	dcrat
behavioral3/files/0x0006000000023222-275.dat	dcrat
behavioral3/files/0x0006000000023243-346.dat	dcrat
behavioral3/files/0x0006000000023243-347.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3640	Loader.exe
4176	MsServerfont.exe
4932	StartMenuExperienceHost.exe
2460	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ipinfo.io
41	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
540	YammiBeta.exe
540	YammiBeta.exe
540	YammiBeta.exe
540	YammiBeta.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\29c1c3cc0f7685	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	MsServerfont.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\29c1c3cc0f7685	MsServerfont.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\5940a34987c991	MsServerfont.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\explorer.exe	MsServerfont.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\7a0fd90576e088	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Sidebar\unsecapp.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	MsServerfont.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	MsServerfont.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\unsecapp.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\55b276f4edf653	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\smss.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\69ddcba757bf72	MsServerfont.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dllhost.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	MsServerfont.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHT\e1ef82546f0b02	MsServerfont.exe
File created	C:\Windows\InputMethod\CHT\SppExtComObj.exe	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1132	schtasks.exe
2268	schtasks.exe
4768	schtasks.exe
4988	schtasks.exe
2256	schtasks.exe
2872	schtasks.exe
3068	schtasks.exe
3832	schtasks.exe
1728	schtasks.exe
3264	schtasks.exe
920	schtasks.exe
2964	schtasks.exe
736	schtasks.exe
4596	schtasks.exe
3980	schtasks.exe
4980	schtasks.exe
1716	schtasks.exe
1468	schtasks.exe
3724	schtasks.exe
2036	schtasks.exe
4484	schtasks.exe
1300	schtasks.exe
1256	schtasks.exe
2252	schtasks.exe
4684	schtasks.exe
412	schtasks.exe
3708	schtasks.exe
1792	schtasks.exe
1948	schtasks.exe
1192	schtasks.exe
4512	schtasks.exe
3008	schtasks.exe
3412	schtasks.exe
4388	schtasks.exe
4172	schtasks.exe
4060	schtasks.exe
2760	schtasks.exe
2700	schtasks.exe
744	schtasks.exe
2412	schtasks.exe
2912	schtasks.exe
4280	schtasks.exe
500	schtasks.exe
2752	schtasks.exe
4308	schtasks.exe
1476	schtasks.exe
2680	schtasks.exe
3076	schtasks.exe
4440	schtasks.exe
3492	schtasks.exe
3424	schtasks.exe
4944	schtasks.exe
3244	schtasks.exe
3184	schtasks.exe
4848	schtasks.exe
4248	schtasks.exe
5072	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	MsServerfont.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
4176	MsServerfont.exe
3112	powershell.exe
3112	powershell.exe
5032	powershell.exe
5032	powershell.exe
1344	powershell.exe
1344	powershell.exe
3932	powershell.exe
3932	powershell.exe
4016	powershell.exe
4016	powershell.exe
5060	powershell.exe
5060	powershell.exe
4984	powershell.exe
4984	powershell.exe
564	powershell.exe
564	powershell.exe
4852	powershell.exe
4852	powershell.exe
2228	powershell.exe
2228	powershell.exe
1632	powershell.exe
1632	powershell.exe
3628	powershell.exe
3628	powershell.exe
5032	powershell.exe
3112	powershell.exe
1344	powershell.exe
3932	powershell.exe
564	powershell.exe
4016	powershell.exe
4984	powershell.exe
2228	powershell.exe
1632	powershell.exe
5060	powershell.exe
4852	powershell.exe
3628	powershell.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	YammiBeta.exe
Token: SeDebugPrivilege	4176	MsServerfont.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	4932	StartMenuExperienceHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
540	YammiBeta.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3640	540	YammiBeta.exe	89
PID 540 wrote to memory of 3640	540	YammiBeta.exe	89
PID 540 wrote to memory of 3640	540	YammiBeta.exe	89
PID 3640 wrote to memory of 4784	3640	Loader.exe	90
PID 3640 wrote to memory of 4784	3640	Loader.exe	90
PID 3640 wrote to memory of 4784	3640	Loader.exe	90
PID 4784 wrote to memory of 1664	4784	WScript.exe	92
PID 4784 wrote to memory of 1664	4784	WScript.exe	92
PID 4784 wrote to memory of 1664	4784	WScript.exe	92
PID 1664 wrote to memory of 4176	1664	cmd.exe	94
PID 1664 wrote to memory of 4176	1664	cmd.exe	94
PID 4176 wrote to memory of 3628	4176	MsServerfont.exe	154
PID 4176 wrote to memory of 3628	4176	MsServerfont.exe	154
PID 4176 wrote to memory of 1344	4176	MsServerfont.exe	152
PID 4176 wrote to memory of 1344	4176	MsServerfont.exe	152
PID 4176 wrote to memory of 2228	4176	MsServerfont.exe	153
PID 4176 wrote to memory of 2228	4176	MsServerfont.exe	153
PID 4176 wrote to memory of 3112	4176	MsServerfont.exe	174
PID 4176 wrote to memory of 3112	4176	MsServerfont.exe	174
PID 4176 wrote to memory of 3932	4176	MsServerfont.exe	173
PID 4176 wrote to memory of 3932	4176	MsServerfont.exe	173
PID 4176 wrote to memory of 5032	4176	MsServerfont.exe	172
PID 4176 wrote to memory of 5032	4176	MsServerfont.exe	172
PID 4176 wrote to memory of 1632	4176	MsServerfont.exe	171
PID 4176 wrote to memory of 1632	4176	MsServerfont.exe	171
PID 4176 wrote to memory of 564	4176	MsServerfont.exe	170
PID 4176 wrote to memory of 564	4176	MsServerfont.exe	170
PID 4176 wrote to memory of 4016	4176	MsServerfont.exe	169
PID 4176 wrote to memory of 4016	4176	MsServerfont.exe	169
PID 4176 wrote to memory of 4852	4176	MsServerfont.exe	168
PID 4176 wrote to memory of 4852	4176	MsServerfont.exe	168
PID 4176 wrote to memory of 5060	4176	MsServerfont.exe	167
PID 4176 wrote to memory of 5060	4176	MsServerfont.exe	167
PID 4176 wrote to memory of 4984	4176	MsServerfont.exe	155
PID 4176 wrote to memory of 4984	4176	MsServerfont.exe	155
PID 4176 wrote to memory of 408	4176	MsServerfont.exe	176
PID 4176 wrote to memory of 408	4176	MsServerfont.exe	176
PID 408 wrote to memory of 3708	408	cmd.exe	178
PID 408 wrote to memory of 3708	408	cmd.exe	178
PID 408 wrote to memory of 4932	408	cmd.exe	179
PID 408 wrote to memory of 4932	408	cmd.exe	179

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dd4hGSSx1g.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3708
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Templates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\CHT\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\CHT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dd4hGSSx1g.bat

Filesize
242B

MD5
ce35f44d9976d90b11c262afd23d4ee4

SHA1
e5124f711523c19d9dd2667ff72c4653ce5e2b6a

SHA256
d537e1d919355d8e6a976e2b8dcaedf786be7b93dd9959cff7c70a27ec146f92

SHA512
7bbfba6872a053a00fff18a3a50772c6ab7c6db0571949c6f54cea7f4adfabff02215949feded642c67770acfeee1d3a88c554d4c2ca7d02dbab08029a0db572

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhmrbi5a.n1t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\spoolsv.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Public\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Public\System.exe

Filesize
1.2MB

MD5
f3489192276864143bbec862909e5d08

SHA1
b383c5017fe4a68bd8e2eb6f2253504543d9e529

SHA256
c1693fc15b691ae0db01cbcb65ada9537a9527e9935f8b5bf7e55130fd286bc3

SHA512
835354bad737f539e4069271d851deb5b2aa50e12fe939a5d792256a89574a67768aee128bbb24f0a6411bf3bd96743df776291065f360fbacbbb5dbd064efba

Download Submit
memory/540-0-0x0000000000D20000-0x000000000109E000-memory.dmp

Filesize
3.5MB

Download
memory/540-36-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/540-26-0x0000000007040000-0x00000000070D2000-memory.dmp

Filesize
584KB

Download
memory/540-3-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/540-5-0x0000000000D20000-0x000000000109E000-memory.dmp

Filesize
3.5MB

Download
memory/540-6-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/540-7-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/540-2-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/540-33-0x0000000000D20000-0x000000000109E000-memory.dmp

Filesize
3.5MB

Download
memory/540-1-0x0000000000D20000-0x000000000109E000-memory.dmp

Filesize
3.5MB

Download
memory/540-25-0x0000000007500000-0x0000000007AA4000-memory.dmp

Filesize
5.6MB

Download
memory/564-216-0x0000027EFE370000-0x0000027EFE380000-memory.dmp

Filesize
64KB

Download
memory/564-221-0x0000027EFE370000-0x0000027EFE380000-memory.dmp

Filesize
64KB

Download
memory/564-235-0x0000027EFE370000-0x0000027EFE380000-memory.dmp

Filesize
64KB

Download
memory/564-217-0x0000027EFE370000-0x0000027EFE380000-memory.dmp

Filesize
64KB

Download
memory/564-215-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/1344-220-0x00000145D2740000-0x00000145D2750000-memory.dmp

Filesize
64KB

Download
memory/1344-247-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/1344-228-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/1344-225-0x00000145D2740000-0x00000145D2750000-memory.dmp

Filesize
64KB

Download
memory/1344-85-0x00000145D2740000-0x00000145D2750000-memory.dmp

Filesize
64KB

Download
memory/1632-214-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/2228-111-0x00000227FC970000-0x00000227FC980000-memory.dmp

Filesize
64KB

Download
memory/2228-110-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/2228-223-0x00000227FC970000-0x00000227FC980000-memory.dmp

Filesize
64KB

Download
memory/2228-126-0x00000227FC970000-0x00000227FC980000-memory.dmp

Filesize
64KB

Download
memory/3112-87-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/3112-98-0x000002914EB80000-0x000002914EB90000-memory.dmp

Filesize
64KB

Download
memory/3112-244-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/3112-97-0x000002914F640000-0x000002914F662000-memory.dmp

Filesize
136KB

Download
memory/3112-99-0x000002914EB80000-0x000002914EB90000-memory.dmp

Filesize
64KB

Download
memory/3628-230-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/3932-172-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/3932-233-0x000001F8CB4E0000-0x000001F8CB4F0000-memory.dmp

Filesize
64KB

Download
memory/3932-253-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4016-234-0x00000120EAF10000-0x00000120EAF20000-memory.dmp

Filesize
64KB

Download
memory/4016-206-0x00000120EAF10000-0x00000120EAF20000-memory.dmp

Filesize
64KB

Download
memory/4016-205-0x00000120EAF10000-0x00000120EAF20000-memory.dmp

Filesize
64KB

Download
memory/4016-204-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4176-35-0x00000000000A0000-0x0000000000220000-memory.dmp

Filesize
1.5MB

Download
memory/4176-37-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4176-38-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/4176-39-0x00000000023F0000-0x0000000002440000-memory.dmp

Filesize
320KB

Download
memory/4176-100-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4852-224-0x000001BB51AC0000-0x000001BB51AD0000-memory.dmp

Filesize
64KB

Download
memory/4852-218-0x000001BB51AC0000-0x000001BB51AD0000-memory.dmp

Filesize
64KB

Download
memory/4852-219-0x000001BB51AC0000-0x000001BB51AD0000-memory.dmp

Filesize
64KB

Download
memory/4852-229-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4852-227-0x000001BB51AC0000-0x000001BB51AD0000-memory.dmp

Filesize
64KB

Download
memory/4932-318-0x000000001D4B0000-0x000000001D659000-memory.dmp

Filesize
1.7MB

Download
memory/4984-211-0x00000260F2D20000-0x00000260F2D30000-memory.dmp

Filesize
64KB

Download
memory/4984-209-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/4984-213-0x00000260F2D20000-0x00000260F2D30000-memory.dmp

Filesize
64KB

Download
memory/4984-222-0x00000260F2D20000-0x00000260F2D30000-memory.dmp

Filesize
64KB

Download
memory/4984-252-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/5032-81-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/5032-238-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download
memory/5032-231-0x00000233DCA70000-0x00000233DCA80000-memory.dmp

Filesize
64KB

Download
memory/5032-232-0x00000233DCA70000-0x00000233DCA80000-memory.dmp

Filesize
64KB

Download
memory/5032-82-0x00000233DCA70000-0x00000233DCA80000-memory.dmp

Filesize
64KB

Download
memory/5032-83-0x00000233DCA70000-0x00000233DCA80000-memory.dmp

Filesize
64KB

Download
memory/5060-226-0x000001D946390000-0x000001D9463A0000-memory.dmp

Filesize
64KB

Download
memory/5060-212-0x000001D946390000-0x000001D9463A0000-memory.dmp

Filesize
64KB

Download
memory/5060-210-0x000001D946390000-0x000001D9463A0000-memory.dmp

Filesize
64KB

Download
memory/5060-208-0x00007FFC89940000-0x00007FFC8A401000-memory.dmp

Filesize
10.8MB

Download