dcrat | 50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7

Resubmissions

05-11-2024 09:03

241105-k1ac3sxnh1 10

23-10-2024 05:42

241023-gehksavhqm 10

Analysis

max time kernel
298s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20241007-ja
resource tags

arch:x64arch:x86image:win10v2004-20241007-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
05-11-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
Size

1.7MB
MD5

480424b6227f31ada24e52bd28617d10
SHA1

0eb0bc8e634f965294c4c4d940b50286e85486f2
SHA256

50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7
SHA512

6342f89c34de90d6183ca7dd9b144752df432356e8f915a5c34449bae5d7581fb758cb2091c3ddff3c50c0ebd03784296878f14494f2fb15d1b71c716a9f8cff
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1436	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1436	schtasks.exe	84

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4936-1-0x0000000000490000-0x0000000000646000-memory.dmp	dcrat
behavioral2/files/0x0008000000023bfd-30.dat	dcrat
behavioral2/files/0x000d000000023afc-81.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4916	powershell.exe
1324	powershell.exe
2132	powershell.exe
3768	powershell.exe
4492	powershell.exe
4504	powershell.exe
4444	powershell.exe
212	powershell.exe
116	powershell.exe
3952	powershell.exe
4428	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 3 IoCs

pid	Process
4852	lsass.exe
2168	lsass.exe
3108	OfficeClickToRun.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\55b276f4edf653	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX8C85.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8E9A.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files\Windows Defender\uk-UA\6203df4a6bafc7	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files\Common Files\Services\e6c9b481da804f	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX8C95.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Common Files\Services\OfficeClickToRun.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCX90AF.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files\Windows Defender\uk-UA\lsass.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\lsass.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files\Common Files\Services\OfficeClickToRun.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCX8A6F.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCX8A80.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8E9B.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCX912D.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\RuntimeBroker.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File created	C:\Windows\ShellComponents\9e8d7a4ca61bd9	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Windows\ShellComponents\RCX9351.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Windows\ShellComponents\RCX9362.tmp	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
File opened for modification	C:\Windows\ShellComponents\RuntimeBroker.exe	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3588	schtasks.exe
4776	schtasks.exe
1048	schtasks.exe
4172	schtasks.exe
5044	schtasks.exe
924	schtasks.exe
388	schtasks.exe
3960	schtasks.exe
1036	schtasks.exe
3476	schtasks.exe
4940	schtasks.exe
1284	schtasks.exe
4848	schtasks.exe
4744	schtasks.exe
100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4504	powershell.exe
4504	powershell.exe
1324	powershell.exe
1324	powershell.exe
212	powershell.exe
212	powershell.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
4916	powershell.exe
4916	powershell.exe
3952	powershell.exe
3952	powershell.exe
4444	powershell.exe
4444	powershell.exe
4428	powershell.exe
4428	powershell.exe
4492	powershell.exe
4492	powershell.exe
3768	powershell.exe
3768	powershell.exe
2132	powershell.exe
2132	powershell.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
2132	powershell.exe
4492	powershell.exe
4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
212	powershell.exe
1324	powershell.exe
4504	powershell.exe
3952	powershell.exe
4428	powershell.exe
4916	powershell.exe
4444	powershell.exe
3768	powershell.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe
4852	lsass.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4852	lsass.exe
Token: SeDebugPrivilege	2168	lsass.exe
Token: SeDebugPrivilege	3108	OfficeClickToRun.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4916	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	106
PID 4936 wrote to memory of 4916	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	106
PID 4936 wrote to memory of 4444	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	107
PID 4936 wrote to memory of 4444	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	107
PID 4936 wrote to memory of 212	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	108
PID 4936 wrote to memory of 212	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	108
PID 4936 wrote to memory of 1324	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	109
PID 4936 wrote to memory of 1324	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	109
PID 4936 wrote to memory of 116	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	110
PID 4936 wrote to memory of 116	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	110
PID 4936 wrote to memory of 4504	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	111
PID 4936 wrote to memory of 4504	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	111
PID 4936 wrote to memory of 4492	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	112
PID 4936 wrote to memory of 4492	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	112
PID 4936 wrote to memory of 3768	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	113
PID 4936 wrote to memory of 3768	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	113
PID 4936 wrote to memory of 4428	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	114
PID 4936 wrote to memory of 4428	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	114
PID 4936 wrote to memory of 3952	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	115
PID 4936 wrote to memory of 3952	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	115
PID 4936 wrote to memory of 2132	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	116
PID 4936 wrote to memory of 2132	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	116
PID 4936 wrote to memory of 4852	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	128
PID 4936 wrote to memory of 4852	4936	50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe	128
PID 4852 wrote to memory of 4516	4852	lsass.exe	129
PID 4852 wrote to memory of 4516	4852	lsass.exe	129
PID 4852 wrote to memory of 2080	4852	lsass.exe	131
PID 4852 wrote to memory of 2080	4852	lsass.exe	131
PID 4516 wrote to memory of 2168	4516	WScript.exe	134
PID 4516 wrote to memory of 2168	4516	WScript.exe	134
PID 4060 wrote to memory of 4852	4060	msedge.exe	153
PID 4060 wrote to memory of 4852	4060	msedge.exe	153
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154
PID 4060 wrote to memory of 1000	4060	msedge.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe
"C:\Users\Admin\AppData\Local\Temp\50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Program Files\Windows Defender\uk-UA\lsass.exe
  "C:\Program Files\Windows Defender\uk-UA\lsass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd78075-a72c-4950-8b89-1b40277c492f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Program Files\Windows Defender\uk-UA\lsass.exe
      "C:\Program Files\Windows Defender\uk-UA\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5f960f9-c708-42d4-a22d-e0e846cb11ac.vbs"
    3⤵
    PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff879a746f8,0x7ff879a74708,0x7ff879a74718
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,17948043949486865305,1458041258802334585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3548 /prefetch:2
  2⤵
  PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

C:\Program Files\Common Files\Services\OfficeClickToRun.exe
"C:\Program Files\Common Files\Services\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
5c1cfbcb4911d63f4a3b13cdccb74afa

SHA1
c775cc12f12d27c433f4582d8cae02890019d78d

SHA256
79c77410a12f34bd5efa847983bd6020928d214023e62d2a6ec25323352dcd21

SHA512
a8ac4549b5f24747891910ba1d221c11dfef0b53d8943109c4948adfc70b35bafbf4dd20c57507889718faa38f8f034c0036616c1f6e74f747f9fa6c8d320973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f86d84a4145ce47fcdcd80306fdfb0e

SHA1
5d7a09f77c4685d45556cab57da86289927c4a17

SHA256
3f55debd22fafd6d0563080fd382eaeb0cb0db5b372e476231bb0c76b62e6880

SHA512
7d9cec92aa7eb569a82166dd6994a3ec458a5ecab46de4a5f96d787c956fdf8d63e20370811264bc21b768cfcf28883a1bbb0a053e8c2fedeedb09771d2ae77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b97b7925a9d3b1e6e65e7415a4b0152

SHA1
fd9dd4b1e410666daac2f1fa785310f401b8e260

SHA256
b051d1fe9158bb33ab79761efb972f78d0b70af972a9066d5d2a8291a6b6200c

SHA512
106a6ff62a54920d042129b32fcbd94686f2d951f0ef7081fd6293ce4ef090263ac9f688a2c898285bd66dc22f5ec68b89c6475ea6fe41a7e2642814ce39ddc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
91c925ecb0a91405e1d19aba31d67610

SHA1
fb00af390d975982bf7ec7acb1e1d22cf6758e7a

SHA256
5acf5724ac215d7f42e28db0a687309f67442c3818e1edc800f3617ff5b80ee1

SHA512
4801e398d716b955364a6b86bf83e8eb7187f0f9ac999704ee13afb0b980731f1130101bc0efc19e17c6371a438358a782c6d2992453262c8ce72201386a606a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dd78075-a72c-4950-8b89-1b40277c492f.vbs

Filesize
725B

MD5
e88a3fcbef7bee3ccfbe9d141005bbc3

SHA1
a0dbfc2a4701b747f5d49b1cbdbd7746c604bd68

SHA256
7f8793ee8acfdba94f5e3c76968bf54ee6086246a5195993755397494ecc9001

SHA512
8644e8cda88e96365d16fcd5d44c39964a819a636fd9cdf1e0e01bab74f93a86eb2c8b61d73528cc84bfd3d0d3b3ad53f0102135df58413291537e10404c0ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_352fvdjc.trt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5f960f9-c708-42d4-a22d-e0e846cb11ac.vbs

Filesize
501B

MD5
deace569b18eb5bcc634dc45aa6ef177

SHA1
0d81963b7e391a73f0f179b1e2c5e9b4cead05ae

SHA256
0e358449d0505abf2ba72e43763c1cd7ef1d3d0b8e8ba48694f77d3223074682

SHA512
075a727e766622e6e81e14958674701fc861bd1b7976dad109cbd0fad74ef6554a3f317c7759c17b146afd38e98bfd952e0d4ace8e36d09ac82c3afefa0f7bb6

Download Submit
C:\Windows\ShellComponents\RuntimeBroker.exe

Filesize
1.7MB

MD5
480424b6227f31ada24e52bd28617d10

SHA1
0eb0bc8e634f965294c4c4d940b50286e85486f2

SHA256
50a6a9140e77cb1787b0fa1022aacd6d9807e0ceb51e0acbe332bd1a1bec80b7

SHA512
6342f89c34de90d6183ca7dd9b144752df432356e8f915a5c34449bae5d7581fb758cb2091c3ddff3c50c0ebd03784296878f14494f2fb15d1b71c716a9f8cff

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
dd4a84adae1077587ef39b559757bebe

SHA1
2451e0eab0ea53abd0fccf1a17d24e3c82dc29a3

SHA256
5e17722af763bf898a0fefede69b3bb46e7a35d2932fc8f18cd394b917928353

SHA512
bba855c465f5125ee755f0033093fc8722315a81e1558724d1d12dc014068de9078c8b8fc3f6d7d67e3d312d8195530beb493aeeccd69b107c93b1c8bb16a50a

Download Submit
memory/212-164-0x000001F64E130000-0x000001F64E152000-memory.dmp

Filesize
136KB

Download
memory/1324-160-0x000001CC45E00000-0x000001CC45E10000-memory.dmp

Filesize
64KB

Download
memory/2168-286-0x000000001CA50000-0x000000001CA62000-memory.dmp

Filesize
72KB

Download
memory/4504-145-0x00000240B8270000-0x00000240B8302000-memory.dmp

Filesize
584KB

Download
memory/4852-250-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/4852-283-0x000000001D930000-0x000000001DA32000-memory.dmp

Filesize
1.0MB

Download
memory/4852-281-0x000000001DA90000-0x000000001DAD8000-memory.dmp

Filesize
288KB

Download
memory/4936-11-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/4936-0-0x00007FF879BE3000-0x00007FF879BE5000-memory.dmp

Filesize
8KB

Download
memory/4936-18-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/4936-16-0x000000001B360000-0x000000001B368000-memory.dmp

Filesize
32KB

Download
memory/4936-15-0x000000001B350000-0x000000001B35A000-memory.dmp

Filesize
40KB

Download
memory/4936-17-0x000000001BC80000-0x000000001BC8C000-memory.dmp

Filesize
48KB

Download
memory/4936-14-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/4936-13-0x000000001B340000-0x000000001B34C000-memory.dmp

Filesize
48KB

Download
memory/4936-23-0x000000001BE30000-0x000000001BF3E000-memory.dmp

Filesize
1.1MB

Download
memory/4936-10-0x00000000027E0000-0x00000000027EC000-memory.dmp

Filesize
48KB

Download
memory/4936-21-0x00007FF879BE0000-0x00007FF87A6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-249-0x00007FF879BE0000-0x00007FF87A6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-9-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/4936-22-0x00007FF879BE0000-0x00007FF87A6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-7-0x00000000027A0000-0x00000000027B6000-memory.dmp

Filesize
88KB

Download
memory/4936-8-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4936-4-0x000000001B2E0000-0x000000001B330000-memory.dmp

Filesize
320KB

Download
memory/4936-5-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/4936-6-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4936-3-0x0000000002760000-0x000000000277C000-memory.dmp

Filesize
112KB

Download
memory/4936-2-0x00007FF879BE0000-0x00007FF87A6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-1-0x0000000000490000-0x0000000000646000-memory.dmp

Filesize
1.7MB

Download