dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1791s
max time network
1796s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2276	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2276	schtasks.exe	75

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af2f-11.dat	dcrat
behavioral2/files/0x000800000001af2f-14.dat	dcrat
behavioral2/files/0x000700000001b003-31.dat	dcrat
behavioral2/files/0x000700000001b003-32.dat	dcrat
behavioral2/memory/3976-34-0x0000000000E60000-0x0000000000FE0000-memory.dmp	dcrat
behavioral2/files/0x000600000001b008-48.dat	dcrat
behavioral2/files/0x000600000001b02c-369.dat	dcrat
behavioral2/files/0x000600000001b02c-370.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2744	Loader.exe
3976	MsServerfont.exe
3568	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sk-SK\SearchUI.exe	MsServerfont.exe
File created	C:\Windows\SysWOW64\sk-SK\dab4d89cac03ec	MsServerfont.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2480	YammiBeta.exe
2480	YammiBeta.exe
2480	YammiBeta.exe
2480	YammiBeta.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Visualizations\dllhost.exe	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\Visualizations\5940a34987c991	MsServerfont.exe
File created	C:\Program Files\Microsoft Office\csrss.exe	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\services.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\ebf1f9fa8afd6d	MsServerfont.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\MsServerfont.exe	MsServerfont.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\3416ca5bd162c5	MsServerfont.exe
File created	C:\Program Files\Microsoft Office\886983d96e3d3e	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\c5b4cb5e9653cc	MsServerfont.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\cmd.exe	MsServerfont.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\MsServerfont.exe	MsServerfont.exe
File created	C:\Windows\ELAMBKUP\fontdrvhost.exe	MsServerfont.exe
File created	C:\Windows\ELAMBKUP\5b884080fd4f94	MsServerfont.exe
File created	C:\Windows\ja-JP\SearchUI.exe	MsServerfont.exe
File created	C:\Windows\ja-JP\dab4d89cac03ec	MsServerfont.exe
File created	C:\Windows\Help\it-IT\sihost.exe	MsServerfont.exe
File created	C:\Windows\Help\it-IT\66fc9ff0ee96c2	MsServerfont.exe
File created	C:\Windows\rescache\_merged\3769523093\spoolsv.exe	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4504	schtasks.exe
4980	schtasks.exe
212	schtasks.exe
2208	schtasks.exe
1704	schtasks.exe
4204	schtasks.exe
3608	schtasks.exe
2908	schtasks.exe
612	schtasks.exe
796	schtasks.exe
2888	schtasks.exe
4944	schtasks.exe
4212	schtasks.exe
1144	schtasks.exe
4864	schtasks.exe
2748	schtasks.exe
5092	schtasks.exe
3632	schtasks.exe
3932	schtasks.exe
2244	schtasks.exe
4600	schtasks.exe
2052	schtasks.exe
4052	schtasks.exe
4920	schtasks.exe
716	schtasks.exe
1472	schtasks.exe
4556	schtasks.exe
4584	schtasks.exe
4100	schtasks.exe
3900	schtasks.exe
1220	schtasks.exe
4256	schtasks.exe
1380	schtasks.exe
2152	schtasks.exe
4872	schtasks.exe
2472	schtasks.exe
316	schtasks.exe
1580	schtasks.exe
4996	schtasks.exe
1088	schtasks.exe
3440	schtasks.exe
1020	schtasks.exe
4320	schtasks.exe
1668	schtasks.exe
3972	schtasks.exe
2696	schtasks.exe
4136	schtasks.exe
1296	schtasks.exe
4608	schtasks.exe
1660	schtasks.exe
4384	schtasks.exe
2448	schtasks.exe
4340	schtasks.exe
2540	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	MsServerfont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3976	MsServerfont.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
4616	powershell.exe
4616	powershell.exe
2916	powershell.exe
2916	powershell.exe
2688	powershell.exe
2688	powershell.exe
3092	powershell.exe
3092	powershell.exe
4532	powershell.exe
4532	powershell.exe
3988	powershell.exe
3988	powershell.exe
4564	powershell.exe
4564	powershell.exe
4004	powershell.exe
4004	powershell.exe
4048	powershell.exe
4048	powershell.exe
4404	powershell.exe
4404	powershell.exe
4808	powershell.exe
4808	powershell.exe
4616	powershell.exe
2916	powershell.exe
3092	powershell.exe
2688	powershell.exe
4532	powershell.exe
3988	powershell.exe
4004	powershell.exe
4564	powershell.exe
4404	powershell.exe
4808	powershell.exe
2916	powershell.exe
4048	powershell.exe
4616	powershell.exe
4616	powershell.exe
3092	powershell.exe
2688	powershell.exe
2688	powershell.exe
4532	powershell.exe
3988	powershell.exe
4004	powershell.exe
4808	powershell.exe
4404	powershell.exe
4564	powershell.exe
4564	powershell.exe
4048	powershell.exe
3568	csrss.exe
3568	csrss.exe
3568	csrss.exe
3568	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3568	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	YammiBeta.exe
Token: SeDebugPrivilege	3976	MsServerfont.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	powershell.exe
Token: SeSecurityPrivilege	2916	powershell.exe
Token: SeTakeOwnershipPrivilege	2916	powershell.exe
Token: SeLoadDriverPrivilege	2916	powershell.exe
Token: SeSystemProfilePrivilege	2916	powershell.exe
Token: SeSystemtimePrivilege	2916	powershell.exe
Token: SeProfSingleProcessPrivilege	2916	powershell.exe
Token: SeIncBasePriorityPrivilege	2916	powershell.exe
Token: SeCreatePagefilePrivilege	2916	powershell.exe
Token: SeBackupPrivilege	2916	powershell.exe
Token: SeRestorePrivilege	2916	powershell.exe
Token: SeShutdownPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeSystemEnvironmentPrivilege	2916	powershell.exe
Token: SeRemoteShutdownPrivilege	2916	powershell.exe
Token: SeUndockPrivilege	2916	powershell.exe
Token: SeManageVolumePrivilege	2916	powershell.exe
Token: 33	2916	powershell.exe
Token: 34	2916	powershell.exe
Token: 35	2916	powershell.exe
Token: 36	2916	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	powershell.exe
Token: SeSecurityPrivilege	4616	powershell.exe
Token: SeTakeOwnershipPrivilege	4616	powershell.exe
Token: SeLoadDriverPrivilege	4616	powershell.exe
Token: SeSystemProfilePrivilege	4616	powershell.exe
Token: SeSystemtimePrivilege	4616	powershell.exe
Token: SeProfSingleProcessPrivilege	4616	powershell.exe
Token: SeIncBasePriorityPrivilege	4616	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2480	YammiBeta.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2744	2480	YammiBeta.exe	70
PID 2480 wrote to memory of 2744	2480	YammiBeta.exe	70
PID 2480 wrote to memory of 2744	2480	YammiBeta.exe	70
PID 2744 wrote to memory of 4828	2744	Loader.exe	71
PID 2744 wrote to memory of 4828	2744	Loader.exe	71
PID 2744 wrote to memory of 4828	2744	Loader.exe	71
PID 4828 wrote to memory of 3424	4828	WScript.exe	72
PID 4828 wrote to memory of 3424	4828	WScript.exe	72
PID 4828 wrote to memory of 3424	4828	WScript.exe	72
PID 3424 wrote to memory of 3976	3424	cmd.exe	74
PID 3424 wrote to memory of 3976	3424	cmd.exe	74
PID 3976 wrote to memory of 4616	3976	MsServerfont.exe	130
PID 3976 wrote to memory of 4616	3976	MsServerfont.exe	130
PID 3976 wrote to memory of 3092	3976	MsServerfont.exe	131
PID 3976 wrote to memory of 3092	3976	MsServerfont.exe	131
PID 3976 wrote to memory of 2916	3976	MsServerfont.exe	135
PID 3976 wrote to memory of 2916	3976	MsServerfont.exe	135
PID 3976 wrote to memory of 4048	3976	MsServerfont.exe	133
PID 3976 wrote to memory of 4048	3976	MsServerfont.exe	133
PID 3976 wrote to memory of 4564	3976	MsServerfont.exe	136
PID 3976 wrote to memory of 4564	3976	MsServerfont.exe	136
PID 3976 wrote to memory of 4004	3976	MsServerfont.exe	153
PID 3976 wrote to memory of 4004	3976	MsServerfont.exe	153
PID 3976 wrote to memory of 2688	3976	MsServerfont.exe	152
PID 3976 wrote to memory of 2688	3976	MsServerfont.exe	152
PID 3976 wrote to memory of 3132	3976	MsServerfont.exe	150
PID 3976 wrote to memory of 3132	3976	MsServerfont.exe	150
PID 3976 wrote to memory of 4808	3976	MsServerfont.exe	146
PID 3976 wrote to memory of 4808	3976	MsServerfont.exe	146
PID 3976 wrote to memory of 4532	3976	MsServerfont.exe	145
PID 3976 wrote to memory of 4532	3976	MsServerfont.exe	145
PID 3976 wrote to memory of 4404	3976	MsServerfont.exe	144
PID 3976 wrote to memory of 4404	3976	MsServerfont.exe	144
PID 3976 wrote to memory of 3988	3976	MsServerfont.exe	138
PID 3976 wrote to memory of 3988	3976	MsServerfont.exe	138
PID 3976 wrote to memory of 2296	3976	MsServerfont.exe	154
PID 3976 wrote to memory of 2296	3976	MsServerfont.exe	154
PID 2296 wrote to memory of 2160	2296	cmd.exe	156
PID 2296 wrote to memory of 2160	2296	cmd.exe	156
PID 2296 wrote to memory of 3568	2296	cmd.exe	158
PID 2296 wrote to memory of 3568	2296	cmd.exe	158

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y4bNlaSBbd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Office\csrss.exe
        
        "C:\Program Files\Microsoft Office\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\it-IT\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\sk-SK\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sk-SK\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\sk-SK\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\ELAMBKUP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\ELAMBKUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\csrss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Microsoft Office\csrss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1f64512fa2207270dcdb54c3bff60aa

SHA1
a96ada7533510e29a697ddc6b8a1ecb18595fdbd

SHA256
d96c4d853eedab1a763177ec704e83f572ea2852e87a3444eb4c6b5fb5eae27f

SHA512
2fdfe6e874ed865bba1474902a3044a52e1978af89150584aa1af98f19afc510d23cda6e410df2d0f7f1f8bb6d8ebe056718993ef7da2ac08aee099d1c1b1666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c77e961285afb1794c922107f43eadc7

SHA1
191dded74e68df276c90a1147da68a3a6f909d8b

SHA256
e2fce2979b0e9749e144d6b255a2520c3fff83686fa390605083ae80e38f0753

SHA512
e314b5355644925fefc91bbca4c5f56de4c4eaecc4fe5a46d1382f03c5b2faa1bbd9c2a12ee99db1718073bbcc4f516a85e5076595cc90c5ff844589e01bffa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c77e961285afb1794c922107f43eadc7

SHA1
191dded74e68df276c90a1147da68a3a6f909d8b

SHA256
e2fce2979b0e9749e144d6b255a2520c3fff83686fa390605083ae80e38f0753

SHA512
e314b5355644925fefc91bbca4c5f56de4c4eaecc4fe5a46d1382f03c5b2faa1bbd9c2a12ee99db1718073bbcc4f516a85e5076595cc90c5ff844589e01bffa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d2ee1234105501ba19f330ec5017642

SHA1
ea70916b7769bd3e9ce964de61628ea01b1cb691

SHA256
aec0507e55e3894ea2cab671313aeb5ca2a6def9c8e3b1c2ec3204bb262a12e3

SHA512
68634a5a3f06ba833dc89abc4bf7900601696ae2ceadb1eae136b40919fc90d1c7c3ac90c4ab38d54067cde02c6bc40d6aa0da57713c4e1eb900df69a08e4a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44ee15a721503e2ca4b8380dc99599cd

SHA1
64acd60cf30ce62fd1002a45fceb173d8766abf9

SHA256
b6933ac36072de1d6587b9ae5a18862ea80d4660452757d1195450fa037b8fc4

SHA512
d837af437409b120bebfecf58c14009f8cf71c2ca2b4d386ce6ddb2bd77bdfb5525a1f037adbe551b2fad893dffe854cf20943ea091b014ac8e0cad32bb21313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44ee15a721503e2ca4b8380dc99599cd

SHA1
64acd60cf30ce62fd1002a45fceb173d8766abf9

SHA256
b6933ac36072de1d6587b9ae5a18862ea80d4660452757d1195450fa037b8fc4

SHA512
d837af437409b120bebfecf58c14009f8cf71c2ca2b4d386ce6ddb2bd77bdfb5525a1f037adbe551b2fad893dffe854cf20943ea091b014ac8e0cad32bb21313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9e8c5f32e6346a80ba48ea992094ab8

SHA1
b7ec5551e38b6f9b8fdee22e3d41ff08672cdac4

SHA256
4c006939bedf4852a44ac23e90ebd06087e05a873f7145c04b49bb2fa3139920

SHA512
fbfd301701304acf8c0a48053694bb0e0d93a254a9d045cb7f72c1e57d783e637558406931db0bdfbebef97c01b7e447fb42d4e2709d42c456994bfdf466b0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0192140ce5a113193f6b9b665dd3274

SHA1
27a4d015a4f038256bf79d0511f5be6918bf9d21

SHA256
4e96125d0f5d2c2c899ae234a17328abc80fa5fe11b1fbc634151513202fa0e4

SHA512
837185022af8d04c875a3c596c175e2c416e16123b9637b2c2945509b4cf0718e5e14a2b7c3371d2190cf0b816fe848718297604b8ab124bbbe9146aa5d3afa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38abc90f80ea9df7b618b9a8360944d5

SHA1
30dbddd81a079fa092ff94febe95f468331aef22

SHA256
ec27aa8e7b9055a1e1a165383ca55830fb13770157ecc806161f853d9e9493b2

SHA512
ae6f7d7564dc0f5f3d6c006d4c6c2f5af0d44ae023fd918cb71c7c87cc535d19ed89bae399b33b17bdae4317fa092553499bcb0e336f17106fba59831fdfaec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\S4dFztKqlg

Filesize
92KB

MD5
32bb8ea35279c436279a97f9760e01bb

SHA1
ae53a488303d09e9ebd66420d38d3da3062ae3b2

SHA256
1e54d702319225b2b4d128674cbd934f03698f58658b4740978a7428d72badc5

SHA512
86752c0075d522547ddc72f09c2a17bdbc8315bcaa941f504d220b5cac54cba05b7df72b7eb10a96cf9d533bbeaff1c37d16f23d29e1b280986830fabe1b4922

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y4bNlaSBbd.bat

Filesize
208B

MD5
fe86dee14a56ae880abbeaf2f9b9b153

SHA1
5629582bd00504cd9734752ef01a9d97cd71ce27

SHA256
b2d8e627ecbee53eab982725f669e87ae489ba31dbde91b8f570d5f4b3380e34

SHA512
a8b634637114eaac8db9d55b3481ffd166ee84dbfc7db9b042b28fe2f356257ea338b589ff87a2d684733e1f30cef82e6bc9753d44c782691a87085d47bdcba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0fkujne.wdb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u37nf0tO9d

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgydz8lFyy

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\odt\conhost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/2480-3-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/2480-24-0x0000000006C50000-0x000000000714E000-memory.dmp

Filesize
5.0MB

Download
memory/2480-29-0x0000000000FD0000-0x000000000134E000-memory.dmp

Filesize
3.5MB

Download
memory/2480-1-0x0000000000FD0000-0x000000000134E000-memory.dmp

Filesize
3.5MB

Download
memory/2480-7-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/2480-25-0x0000000006840000-0x00000000068D2000-memory.dmp

Filesize
584KB

Download
memory/2480-2-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-4-0x0000000000FD0000-0x000000000134E000-memory.dmp

Filesize
3.5MB

Download
memory/2480-0-0x0000000000FD0000-0x000000000134E000-memory.dmp

Filesize
3.5MB

Download
memory/2480-6-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-33-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-110-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-154-0x0000021F6DC70000-0x0000021F6DC80000-memory.dmp

Filesize
64KB

Download
memory/2688-179-0x0000021F6DC70000-0x0000021F6DC80000-memory.dmp

Filesize
64KB

Download
memory/2916-185-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-150-0x0000021E6F270000-0x0000021E6F280000-memory.dmp

Filesize
64KB

Download
memory/2916-152-0x0000021E6F270000-0x0000021E6F280000-memory.dmp

Filesize
64KB

Download
memory/3092-145-0x000001A222810000-0x000001A222820000-memory.dmp

Filesize
64KB

Download
memory/3092-96-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/3092-146-0x000001A222810000-0x000001A222820000-memory.dmp

Filesize
64KB

Download
memory/3132-147-0x000001FEC2770000-0x000001FEC2792000-memory.dmp

Filesize
136KB

Download
memory/3132-153-0x000001FEC2A60000-0x000001FEC2AD6000-memory.dmp

Filesize
472KB

Download
memory/3132-120-0x000001FEC27D0000-0x000001FEC27E0000-memory.dmp

Filesize
64KB

Download
memory/3132-116-0x000001FEC27D0000-0x000001FEC27E0000-memory.dmp

Filesize
64KB

Download
memory/3132-88-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/3132-207-0x000001FEC27D0000-0x000001FEC27E0000-memory.dmp

Filesize
64KB

Download
memory/3568-754-0x000000001D800000-0x000000001D995000-memory.dmp

Filesize
1.6MB

Download
memory/3568-784-0x000000001D800000-0x000000001D995000-memory.dmp

Filesize
1.6MB

Download
memory/3976-40-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/3976-42-0x000000001BEA0000-0x000000001BEAE000-memory.dmp

Filesize
56KB

Download
memory/3976-35-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/3976-34-0x0000000000E60000-0x0000000000FE0000-memory.dmp

Filesize
1.5MB

Download
memory/3976-36-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3976-45-0x000000001BED0000-0x000000001BEDC000-memory.dmp

Filesize
48KB

Download
memory/3976-37-0x000000001C0E0000-0x000000001C0FC000-memory.dmp

Filesize
112KB

Download
memory/3976-44-0x000000001BEC0000-0x000000001BECA000-memory.dmp

Filesize
40KB

Download
memory/3976-38-0x000000001C150000-0x000000001C1A0000-memory.dmp

Filesize
320KB

Download
memory/3976-43-0x000000001BEB0000-0x000000001BEBE000-memory.dmp

Filesize
56KB

Download
memory/3976-129-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/3976-41-0x00000000032B0000-0x00000000032BC000-memory.dmp

Filesize
48KB

Download
memory/3976-39-0x000000001C100000-0x000000001C116000-memory.dmp

Filesize
88KB

Download
memory/3988-193-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-171-0x0000027569B70000-0x0000027569B80000-memory.dmp

Filesize
64KB

Download
memory/3988-173-0x0000027569B70000-0x0000027569B80000-memory.dmp

Filesize
64KB

Download
memory/4004-202-0x000001EFC6D90000-0x000001EFC6DA0000-memory.dmp

Filesize
64KB

Download
memory/4004-169-0x000001EFC6D90000-0x000001EFC6DA0000-memory.dmp

Filesize
64KB

Download
memory/4004-144-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4048-196-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4048-204-0x0000020AADF30000-0x0000020AADF40000-memory.dmp

Filesize
64KB

Download
memory/4048-175-0x0000020AADF30000-0x0000020AADF40000-memory.dmp

Filesize
64KB

Download
memory/4404-203-0x0000020EA4120000-0x0000020EA4130000-memory.dmp

Filesize
64KB

Download
memory/4404-174-0x0000020EA4120000-0x0000020EA4130000-memory.dmp

Filesize
64KB

Download
memory/4404-149-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-190-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-156-0x0000025D94D80000-0x0000025D94D90000-memory.dmp

Filesize
64KB

Download
memory/4532-178-0x0000025D94D80000-0x0000025D94D90000-memory.dmp

Filesize
64KB

Download
memory/4564-131-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4564-168-0x000002BF2B920000-0x000002BF2B930000-memory.dmp

Filesize
64KB

Download
memory/4564-167-0x000002BF2B920000-0x000002BF2B930000-memory.dmp

Filesize
64KB

Download
memory/4616-134-0x0000024BFD100000-0x0000024BFD110000-memory.dmp

Filesize
64KB

Download
memory/4616-140-0x0000024BFD100000-0x0000024BFD110000-memory.dmp

Filesize
64KB

Download
memory/4616-268-0x0000024BFD100000-0x0000024BFD110000-memory.dmp

Filesize
64KB

Download
memory/4616-181-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4808-200-0x00007FFD3C6E0000-0x00007FFD3D0CC000-memory.dmp

Filesize
9.9MB

Download
memory/4808-176-0x0000024BD9DE0000-0x0000024BD9DF0000-memory.dmp

Filesize
64KB

Download
memory/4808-177-0x0000024BD9DE0000-0x0000024BD9DF0000-memory.dmp

Filesize
64KB

Download