dcrat | 54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef44e6c54801a42dc9cff0bf0459036.exe
Size

1.8MB
MD5

7ef44e6c54801a42dc9cff0bf0459036
SHA1

45322aee2375b98a8b443e08d5e9f58ac10e9e2d
SHA256

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
SHA512

dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250
SSDEEP

49152:ZWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:DKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	2684	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2684	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2468-1-0x00000000002F0000-0x00000000004BC000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b3f-33.dat	dcrat
behavioral2/files/0x000d000000023b44-60.dat	dcrat
behavioral2/files/0x000200000001e747-81.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
2704	powershell.exe
2608	powershell.exe
3052	powershell.exe
3948	powershell.exe
468	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7ef44e6c54801a42dc9cff0bf0459036.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	SppExtComObj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ef44e6c54801a42dc9cff0bf0459036.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\SppExtComObj.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files\Crashpad\reports\e1ef82546f0b02	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX8ACE.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX8ACF.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Crashpad\reports\SppExtComObj.exe	7ef44e6c54801a42dc9cff0bf0459036.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	7ef44e6c54801a42dc9cff0bf0459036.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4248	schtasks.exe
544	schtasks.exe
4608	schtasks.exe
4320	schtasks.exe
3600	schtasks.exe
392	schtasks.exe
1836	schtasks.exe
3792	schtasks.exe
4288	schtasks.exe
4928	schtasks.exe
732	schtasks.exe
1816	schtasks.exe
3328	schtasks.exe
3168	schtasks.exe
696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
3052	powershell.exe
3948	powershell.exe
468	powershell.exe
2608	powershell.exe
2468	7ef44e6c54801a42dc9cff0bf0459036.exe
2704	powershell.exe
2604	powershell.exe
2704	powershell.exe
3052	powershell.exe
3948	powershell.exe
468	powershell.exe
2608	powershell.exe
2604	powershell.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe
4508	SppExtComObj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4508	SppExtComObj.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	7ef44e6c54801a42dc9cff0bf0459036.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	4508	SppExtComObj.exe
Token: SeBackupPrivilege	5080	vssvc.exe
Token: SeRestorePrivilege	5080	vssvc.exe
Token: SeAuditPrivilege	5080	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 468	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	99
PID 2468 wrote to memory of 468	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	99
PID 2468 wrote to memory of 3948	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	100
PID 2468 wrote to memory of 3948	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	100
PID 2468 wrote to memory of 3052	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	101
PID 2468 wrote to memory of 3052	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	101
PID 2468 wrote to memory of 2604	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	102
PID 2468 wrote to memory of 2604	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	102
PID 2468 wrote to memory of 2704	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	103
PID 2468 wrote to memory of 2704	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	103
PID 2468 wrote to memory of 2608	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	104
PID 2468 wrote to memory of 2608	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	104
PID 2468 wrote to memory of 552	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	111
PID 2468 wrote to memory of 552	2468	7ef44e6c54801a42dc9cff0bf0459036.exe	111
PID 552 wrote to memory of 1876	552	cmd.exe	113
PID 552 wrote to memory of 1876	552	cmd.exe	113
PID 552 wrote to memory of 4508	552	cmd.exe	122
PID 552 wrote to memory of 4508	552	cmd.exe	122
PID 4508 wrote to memory of 4120	4508	SppExtComObj.exe	124
PID 4508 wrote to memory of 4120	4508	SppExtComObj.exe	124
PID 4508 wrote to memory of 5068	4508	SppExtComObj.exe	126
PID 4508 wrote to memory of 5068	4508	SppExtComObj.exe	126
PID 4508 wrote to memory of 224	4508	SppExtComObj.exe	136
PID 4508 wrote to memory of 224	4508	SppExtComObj.exe	136
PID 224 wrote to memory of 4904	224	msedge.exe	137
PID 224 wrote to memory of 4904	224	msedge.exe	137
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138
PID 224 wrote to memory of 2912	224	msedge.exe	138

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe
"C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XwRQ6ahGtp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1876
- - C:\Program Files\Crashpad\reports\SppExtComObj.exe
    "C:\Program Files\Crashpad\reports\SppExtComObj.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4508
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0b7aa10-ca35-4a9a-8e50-d9eb7e858c1b.vbs"
      4⤵
      PID:4120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6485e29f-b244-46ce-befe-adcc187e542a.vbs"
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12174/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49dc46f8,0x7ffd49dc4708,0x7ffd49dc4718
        5⤵
        
        PID:4904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:2912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        
        PID:4560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
        5⤵
        
        PID:1292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:2832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        5⤵
        
        PID:1776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        5⤵
        
        PID:4188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        5⤵
        
        PID:3316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
        5⤵
        
        PID:5108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
        5⤵
        
        PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
        5⤵
        
        PID:5792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15270525759431660071,3682264270729878894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        
        PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\reports\SppExtComObj.exe

Filesize
1.8MB

MD5
7ef44e6c54801a42dc9cff0bf0459036

SHA1
45322aee2375b98a8b443e08d5e9f58ac10e9e2d

SHA256
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

SHA512
dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
228ef5ce5f18bf31d450e2728abff0c4

SHA1
c46c00d5ef034118a5ad88891ab3bd2200dcd4a8

SHA256
b3b1ea023f127b44c0e255eba9717f9e02a3185f24f79843c28076b82bcb9b6e

SHA512
615e0d6a099922298c36b57f3209508bc01a52537a07991e6b711a2106b205c45e3b5a44074bb967e982612126ebc7bb79d71d2c16765546573b7e93875542f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09d3f3d5badbb57dab378e5958a32284

SHA1
449172af5ce9866495f5fe2b4902efa2fa5b7ed4

SHA256
b9d382c3213e9bdeb3534d91de8e71fc069159ca51317efae98d23c6f26867c9

SHA512
b4fa8ff696053c9db91f9776c74d9f2e8a9f4caac99cea0deaead9c84a6b42723997e4b5a0b77260d63c8532c2fca6cc982c893155b39198a0fd6a0cc998f5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8bbfa1ad0be7252580921f6066aa58e

SHA1
d8ffd0514a914dc565ea36368576ab1b06783803

SHA256
e7b64e34ce122e86e91ae7b71f32ee3cc501f74025c401112a2cff3eec7e8933

SHA512
e629b4caa9608805588107223d72e79cf330b0c0634f86586a7df6ffe61840787fb8649440c13ecf614e257b4f073c87322b50c4fa8a927803acd5fef0b397ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d96a93960fbd3f461f8c067894ee90d

SHA1
b8cb495685408407636b7e02cc07a173fca46ae8

SHA256
0efbdfc82c760900beb92ae784af40d67b8edb3b424822408cc867bad9992e1b

SHA512
aca1effad6e6e172d629ace422fa26e5f665de0f62fd811ebc96fe0e12f42d9583a23d5866e6bcf5e2a0365ed93dbc3550522fda440e54b296641775761663f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\6485e29f-b244-46ce-befe-adcc187e542a.vbs

Filesize
502B

MD5
c8e3e490d5a5de02b9754d6319d4fc34

SHA1
94a9ce5a84fa4a6c8399cfe7bef732f80c6d6953

SHA256
918f13a7c54d2934fc1ef7ee2db972907e15c1f26ea4373d2701367af1b140f7

SHA512
3b94583e212fee38b8bb0a3d43d81a0f6bc4027256f025b1aac94477ca68560c357bdd055daf3f1dcc858b8c422ee1ef7279b466a9eaf97a4233118c8a37f7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwRQ6ahGtp.bat

Filesize
215B

MD5
5031248c2f1dfa01fd5b3e933929a35b

SHA1
871c547cc8970b8adf3167277ae8b59b3bedd44f

SHA256
4e4459e3497b137e6875736b461817b290fbb0e3773bb007f4f37ca26a4d4786

SHA512
ad166787ef76ac2f87c3e7722eb7c1bf1fcf43b819e180a3c6e691f33435e1536cba0e9129fc1fd0a15e0a3a04bab7ddb95c253fa6fba357a3a42e9739156728

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ww23robq.zj5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0b7aa10-ca35-4a9a-8e50-d9eb7e858c1b.vbs

Filesize
726B

MD5
c1267befbc590645a0818228796ad1bb

SHA1
5a0beaeb7f46eb3d351f840e240a07aa601562c2

SHA256
4b8920809825106c7632b7c56343b03777bc8bd2a1ef7e33b06ede1951b2cf20

SHA512
a0f1fe33a333d4fa39c5331969235256df455eea9bdd439ce8a7f3d7eae7d702da8400908f08cbca9b9764223aca1ac0c2821c5d984c2485e721bc4032303b17

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\backgroundTaskHost.exe

Filesize
1.8MB

MD5
20f3a63cfaab4bc472d5ebf1ae555ce2

SHA1
a539c1ab5e37acee874027e058b20002968bca91

SHA256
10c58026ad9945b0565251cee14c213b544879b29d68609402adacd1b8592441

SHA512
90860df2de09580c3e9713477456133b03e53493d0a472e08163f10a99a5fb0677fcbe9280dcbcf30e1b0bdb2a9ca95251d4bdeba387740a6f8aea95968a9bd2

Download Submit
C:\Users\Default\RuntimeBroker.exe

Filesize
1.8MB

MD5
e44eafc3c89e4b75834d307bdc4bd18b

SHA1
e7c186c6fc8df6c30fa8d92ac38117d111ac4eb9

SHA256
2f40d1350fbb1509e9165ca399d8ed46e1d7678c68d187525c0d266ed35f820f

SHA512
4663543d96f665b8693abb5e66e1bbcb2a0b41740f3505fb39cf95480c8836802610f0eb35ce18ac2cd0782fe7ce4780061fe24fe8ca561dbcbb052bdb001ded

Download Submit
memory/2468-11-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/2468-14-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/2468-16-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/2468-22-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-25-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-26-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-19-0x000000001BA70000-0x000000001BA78000-memory.dmp

Filesize
32KB

Download
memory/2468-21-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/2468-20-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/2468-1-0x00000000002F0000-0x00000000004BC000-memory.dmp

Filesize
1.8MB

Download
memory/2468-18-0x000000001BA50000-0x000000001BA5E000-memory.dmp

Filesize
56KB

Download
memory/2468-131-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-15-0x000000001BA60000-0x000000001BA68000-memory.dmp

Filesize
32KB

Download
memory/2468-17-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/2468-13-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/2468-12-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/2468-0-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

Filesize
8KB

Download
memory/2468-10-0x000000001B140000-0x000000001B14C000-memory.dmp

Filesize
48KB

Download
memory/2468-9-0x000000001B130000-0x000000001B13A000-memory.dmp

Filesize
40KB

Download
memory/2468-8-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/2468-7-0x000000001B100000-0x000000001B116000-memory.dmp

Filesize
88KB

Download
memory/2468-4-0x000000001B760000-0x000000001B7B0000-memory.dmp

Filesize
320KB

Download
memory/2468-5-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2468-6-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2468-3-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/2468-2-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2704-107-0x0000024C07CF0000-0x0000024C07D12000-memory.dmp

Filesize
136KB

Download