dcrat | 95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Size

1.7MB
MD5

274dfd128512553bde18a7d5e63afcf1
SHA1

3579d08a2a108e03cda8a8439380896106e998d9
SHA256

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e
SHA512

6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl2x

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	2080	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1956-1-0x0000000000E30000-0x0000000000FF0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b6b-30.dat	dcrat
behavioral2/files/0x000d000000023b71-57.dat	dcrat
behavioral2/files/0x000800000001e104-79.dat	dcrat
behavioral2/memory/1768-226-0x00000000005B0000-0x0000000000770000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe
4720	powershell.exe
2272	powershell.exe
4020	powershell.exe
4776	powershell.exe
3000	powershell.exe
4648	powershell.exe
2424	powershell.exe
4060	powershell.exe
1588	powershell.exe
4260	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 7 IoCs

pid	Process
1768	RuntimeBroker.exe
1632	RuntimeBroker.exe
4844	RuntimeBroker.exe
2260	RuntimeBroker.exe
2024	RuntimeBroker.exe
1136	RuntimeBroker.exe
3152	RuntimeBroker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\RCX7E8D.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows NT\fontdrvhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows NT\fontdrvhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows NT\5b884080fd4f94	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows NT\RCX7E8C.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5068	schtasks.exe
1928	schtasks.exe
3220	schtasks.exe
2420	schtasks.exe
1996	schtasks.exe
3244	schtasks.exe
780	schtasks.exe
5000	schtasks.exe
1216	schtasks.exe
4960	schtasks.exe
1816	schtasks.exe
3176	schtasks.exe
2024	schtasks.exe
4700	schtasks.exe
1124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
4648	powershell.exe
4648	powershell.exe
4260	powershell.exe
4260	powershell.exe
2424	powershell.exe
2424	powershell.exe
1284	powershell.exe
1284	powershell.exe
4060	powershell.exe
4060	powershell.exe
1588	powershell.exe
1588	powershell.exe
4720	powershell.exe
4720	powershell.exe
3000	powershell.exe
3000	powershell.exe
4776	powershell.exe
4776	powershell.exe
4020	powershell.exe
4020	powershell.exe
2272	powershell.exe
2272	powershell.exe
2424	powershell.exe
4648	powershell.exe
4260	powershell.exe
4776	powershell.exe
4720	powershell.exe
2272	powershell.exe
1284	powershell.exe
1588	powershell.exe
4060	powershell.exe
4020	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	1768	RuntimeBroker.exe
Token: SeDebugPrivilege	1632	RuntimeBroker.exe
Token: SeDebugPrivilege	4844	RuntimeBroker.exe
Token: SeDebugPrivilege	2260	RuntimeBroker.exe
Token: SeDebugPrivilege	2024	RuntimeBroker.exe
Token: SeDebugPrivilege	1136	RuntimeBroker.exe
Token: SeDebugPrivilege	3152	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1588	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	100
PID 1956 wrote to memory of 1588	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	100
PID 1956 wrote to memory of 4260	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	101
PID 1956 wrote to memory of 4260	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	101
PID 1956 wrote to memory of 2424	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	102
PID 1956 wrote to memory of 2424	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	102
PID 1956 wrote to memory of 4648	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	103
PID 1956 wrote to memory of 4648	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	103
PID 1956 wrote to memory of 3000	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	104
PID 1956 wrote to memory of 3000	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	104
PID 1956 wrote to memory of 4776	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	105
PID 1956 wrote to memory of 4776	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	105
PID 1956 wrote to memory of 4020	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	106
PID 1956 wrote to memory of 4020	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	106
PID 1956 wrote to memory of 2272	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	107
PID 1956 wrote to memory of 2272	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	107
PID 1956 wrote to memory of 4720	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	108
PID 1956 wrote to memory of 4720	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	108
PID 1956 wrote to memory of 4060	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	109
PID 1956 wrote to memory of 4060	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	109
PID 1956 wrote to memory of 1284	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	110
PID 1956 wrote to memory of 1284	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	110
PID 1956 wrote to memory of 4832	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	122
PID 1956 wrote to memory of 4832	1956	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	122
PID 4832 wrote to memory of 2016	4832	cmd.exe	124
PID 4832 wrote to memory of 2016	4832	cmd.exe	124
PID 4832 wrote to memory of 1768	4832	cmd.exe	131
PID 4832 wrote to memory of 1768	4832	cmd.exe	131
PID 1768 wrote to memory of 1052	1768	RuntimeBroker.exe	135
PID 1768 wrote to memory of 1052	1768	RuntimeBroker.exe	135
PID 1768 wrote to memory of 1568	1768	RuntimeBroker.exe	136
PID 1768 wrote to memory of 1568	1768	RuntimeBroker.exe	136
PID 1052 wrote to memory of 1632	1052	WScript.exe	142
PID 1052 wrote to memory of 1632	1052	WScript.exe	142
PID 1632 wrote to memory of 3860	1632	RuntimeBroker.exe	144
PID 1632 wrote to memory of 3860	1632	RuntimeBroker.exe	144
PID 1632 wrote to memory of 864	1632	RuntimeBroker.exe	145
PID 1632 wrote to memory of 864	1632	RuntimeBroker.exe	145
PID 3860 wrote to memory of 4844	3860	WScript.exe	150
PID 3860 wrote to memory of 4844	3860	WScript.exe	150
PID 4844 wrote to memory of 3628	4844	RuntimeBroker.exe	152
PID 4844 wrote to memory of 3628	4844	RuntimeBroker.exe	152
PID 4844 wrote to memory of 2420	4844	RuntimeBroker.exe	153
PID 4844 wrote to memory of 2420	4844	RuntimeBroker.exe	153
PID 3628 wrote to memory of 2260	3628	WScript.exe	155
PID 3628 wrote to memory of 2260	3628	WScript.exe	155
PID 2260 wrote to memory of 3680	2260	RuntimeBroker.exe	157
PID 2260 wrote to memory of 3680	2260	RuntimeBroker.exe	157
PID 2260 wrote to memory of 4348	2260	RuntimeBroker.exe	158
PID 2260 wrote to memory of 4348	2260	RuntimeBroker.exe	158
PID 3680 wrote to memory of 2024	3680	WScript.exe	159
PID 3680 wrote to memory of 2024	3680	WScript.exe	159
PID 2024 wrote to memory of 2412	2024	RuntimeBroker.exe	161
PID 2024 wrote to memory of 2412	2024	RuntimeBroker.exe	161
PID 2024 wrote to memory of 3652	2024	RuntimeBroker.exe	162
PID 2024 wrote to memory of 3652	2024	RuntimeBroker.exe	162
PID 2412 wrote to memory of 1136	2412	WScript.exe	163
PID 2412 wrote to memory of 1136	2412	WScript.exe	163
PID 1136 wrote to memory of 840	1136	RuntimeBroker.exe	165
PID 1136 wrote to memory of 840	1136	RuntimeBroker.exe	165
PID 1136 wrote to memory of 2720	1136	RuntimeBroker.exe	166
PID 1136 wrote to memory of 2720	1136	RuntimeBroker.exe	166
PID 840 wrote to memory of 3152	840	WScript.exe	168
PID 840 wrote to memory of 3152	840	WScript.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
"C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkQwtlzQjM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2016
- - C:\Users\Public\Pictures\RuntimeBroker.exe
    "C:\Users\Public\Pictures\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1224d2d-65ad-4ac7-b683-d145b47ecc34.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b539308-c0bb-4618-93b2-325d48c1e5f1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e52d25a9-20d0-47a0-a846-f6a1c4b49d82.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\616c1127-36fb-4f00-9b40-41bf02505d66.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb79cb4c-465b-4c52-bea8-68fb71a80b07.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28d6467-288f-4afe-a746-8f011dc8a946.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        
        C:\Users\Public\Pictures\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8627f7e2-f47a-41bd-af56-37fc96173cf2.vbs"
        16⤵
        
        PID:3964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ef929d9-ec42-423e-9bd5-c534fa10a8df.vbs"
        16⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9331fc6-bcaa-4442-bc8a-7c62964ff579.vbs"
        14⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2311abc3-2dc7-49f7-b0a4-54a352c8bbd7.vbs"
        12⤵
        
        PID:3652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c591a581-613e-4de9-8e1f-d75d042fd7d6.vbs"
        10⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c615b36d-8197-4dbe-a0ba-967f111f4504.vbs"
        8⤵
        
        PID:2420
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6db39396-6f84-4889-98af-eb3470235a05.vbs"
        6⤵
        
        PID:864
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b35e9c6-2964-4b52-9e1c-a53dc02a6d04.vbs"
      4⤵
      PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Filesize
1.7MB

MD5
274dfd128512553bde18a7d5e63afcf1

SHA1
3579d08a2a108e03cda8a8439380896106e998d9

SHA256
95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

SHA512
6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b35e9c6-2964-4b52-9e1c-a53dc02a6d04.vbs

Filesize
494B

MD5
fa885eb88d8c6370ec45b9022f6e5fb5

SHA1
6312ac692b034b14ce40a7d5c7aa70eb07fca141

SHA256
df7cb897532ab2ac2a168b899cc992fa898ff251cc971afbe829b4a0ffcda8d3

SHA512
1d2994464689c560d7f58d9dd6941c6c04d69ad4a9158284412798567b0fe6c32d80cb69224c2173fef7b01226e7539cca9e05d7ee9d217ce93c763606d0f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\616c1127-36fb-4f00-9b40-41bf02505d66.vbs

Filesize
718B

MD5
29598aee1e12be85570d45b87c105af0

SHA1
97a2353924fe723578f70bc2ff8c32df3fc40677

SHA256
62001be8d27caf5c8dd6dbc312cf7dd17f2a2e11b51503fa9a4d970a16e6a776

SHA512
30d1c5a88082962fd5e5cae57b43f073e03dc8864d03b3b7e6fb72805cae6dcc8d505003736dd381871b02026dac9f543bb23b5218c0b2570ed4c2deb54b5490

Download Submit
C:\Users\Admin\AppData\Local\Temp\8627f7e2-f47a-41bd-af56-37fc96173cf2.vbs

Filesize
718B

MD5
b0ec44ce350242dac34b93f65ed8c29c

SHA1
9b6b2453c623481851d882a30a21c921a0dc2c23

SHA256
70ffc7932857d492e77a6b9cf5405c8e91132dbaa39f3012c23c4213148d3753

SHA512
52b37b3633da56c7708d84f61fdac9f9b735247a74f48fe47821bc3ffddef12434f8f95d6f401bc93997c09c2611dab1155c2521ff9b5aac09262d35c2423e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b539308-c0bb-4618-93b2-325d48c1e5f1.vbs

Filesize
718B

MD5
e127aac405e779f5fd84d3c4cd680eb8

SHA1
2ce095e948e1e34485a664e0a8e36ccae620d1f5

SHA256
d27f1898a6616954f4548e79199737c4400d5acea7b89ac8e8baf921c4823cc5

SHA512
f6054e6096b14ef18b5f8452e4d9ffe43957757dc93b80fe36aefdedf4358171a74fefdc5440fb97386409e80d769f04bdfbad73b4f9b02acb63ac0759897314

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkQwtlzQjM.bat

Filesize
207B

MD5
b3c184866b6770937f2ed0d661d482da

SHA1
eb6bd3c0e39b31353e13b4f337730f4da65b5fec

SHA256
d299eeffbd11161563710c6fcd077de2d1db2c3adf4c5914aa43bd5359d4077a

SHA512
6e2d537001292a20f19221e54b3be433e62c046e734c39880cea9fee80557e48054a00a85a99e2cf4163fba6e6e837c07687dcf0e8198c050e98841a43491864

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3vviyr4.skn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb79cb4c-465b-4c52-bea8-68fb71a80b07.vbs

Filesize
718B

MD5
b5baa6c76fb810375cbf958acfb527d8

SHA1
060880ce6c7ca55437bfe53922004ba011f7f1f2

SHA256
90669d55061495b86bc5e5809f69f1d5c79d930252aed16aeebce401649bb312

SHA512
b39b1205c14279aae787dae01660dcb95387fff01a99588cc8a9ac9f47a4e1fc1ea20e6356ba56ba2716b624688529ceffda55692f1e95b96c29f89df40ca889

Download Submit
C:\Users\Admin\AppData\Local\Temp\c28d6467-288f-4afe-a746-8f011dc8a946.vbs

Filesize
718B

MD5
12ed1755a7b7437326d0eff42194ec9d

SHA1
e786fbd47ffc0fb2611c0825a8d9bb6fadcf231d

SHA256
e500e632e94ba92df72de352ace49f2c029edb4d006679014a04363ea96b6874

SHA512
4f1895e03cdfd7edc4cb7195327cec7092db7498bab7be728ff918ca22ed1483e27e5f92993cd5aafdc88dfd60ee6528a32f0b9d19aca02edb20bc7b48777539

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1224d2d-65ad-4ac7-b683-d145b47ecc34.vbs

Filesize
718B

MD5
09b93f99ea8f01112e474c45ab848794

SHA1
a9c64b069efdd8abd671296b7943f5a8c9a162c8

SHA256
9419f5a81a555d0703b2aca90d0abb69ea614915b8930cd059d8a6e1543125fa

SHA512
3d0d14077851604e650547b30cf6dfe0af35c030db97ac3a1e24f381ea9dfe1ef0ba555eede50bbc72d55704fd5f8cb57dc2be681a78919ba23641bc9986fdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e52d25a9-20d0-47a0-a846-f6a1c4b49d82.vbs

Filesize
718B

MD5
a7e8a6c57d763715451d9fadc6b0b4bc

SHA1
a7922a4dddec8047416793284732f999948a086b

SHA256
f4e4d6505d30b6fe68da6c1128ed96ef0786330a92d78ac513a7acfab9ec7237

SHA512
4fda50f95589717cf0fdcb9e9b70714f4d88a1e4ea0a30ecb03bc0e2185f5efb1e2921253d0559553f2752e1468a40865a65981edac5873b421c76ca093e41d1

Download Submit
C:\Users\Admin\Downloads\Idle.exe

Filesize
1.7MB

MD5
6c6a3e9f21db53a60a4a13ced87d564d

SHA1
dce279a60a728891277aac47bf68173de1c00621

SHA256
829cf703b2f8b61449a7cfa8c5944e4acb6c9bc5e237e0a78b3fc3d3a427563e

SHA512
6729027786169d3317384bab40e078f5166645da76482f8b72bd9cabc4fa123c27dec2554154c01e1c6f380b8aeff48b217ebaa9a6a895537cd9a5b0ba3312a2

Download Submit
C:\Users\Public\Pictures\RuntimeBroker.exe

Filesize
1.7MB

MD5
71b3a3dbd5913a0a6bb5264664869afa

SHA1
28a7deceec8e1ccc57210854dc0871c5597fce13

SHA256
6f7f20ac171bd98bb89f646d3c6baaf9d84cfe637d9264a5325f7c8316aa5217

SHA512
efdb33e461ed672291fe952ca0af89a748249a035bb045dd234b5e6ee6c967692b50d590afbecd7b79e385dee3e280c1e31a77f5efd651a9c235838deba8104c

Download Submit
memory/1136-284-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/1632-239-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/1768-226-0x00000000005B0000-0x0000000000770000-memory.dmp

Filesize
1.8MB

Download
memory/1956-13-0x000000001C860000-0x000000001CD88000-memory.dmp

Filesize
5.2MB

Download
memory/1956-23-0x00007FF8E28C0000-0x00007FF8E3381000-memory.dmp

Filesize
10.8MB

Download
memory/1956-19-0x000000001C560000-0x000000001C56C000-memory.dmp

Filesize
48KB

Download
memory/1956-100-0x00007FF8E28C0000-0x00007FF8E3381000-memory.dmp

Filesize
10.8MB

Download
memory/1956-1-0x0000000000E30000-0x0000000000FF0000-memory.dmp

Filesize
1.8MB

Download
memory/1956-18-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/1956-16-0x000000001C530000-0x000000001C53E000-memory.dmp

Filesize
56KB

Download
memory/1956-14-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/1956-17-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/1956-12-0x000000001BC80000-0x000000001BC92000-memory.dmp

Filesize
72KB

Download
memory/1956-10-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/1956-0-0x00007FF8E28C3000-0x00007FF8E28C5000-memory.dmp

Filesize
8KB

Download
memory/1956-9-0x0000000003180000-0x000000000318C000-memory.dmp

Filesize
48KB

Download
memory/1956-4-0x000000001C2E0000-0x000000001C330000-memory.dmp

Filesize
320KB

Download
memory/1956-7-0x0000000003160000-0x0000000003176000-memory.dmp

Filesize
88KB

Download
memory/1956-22-0x00007FF8E28C0000-0x00007FF8E3381000-memory.dmp

Filesize
10.8MB

Download
memory/1956-8-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/1956-5-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/1956-6-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/1956-3-0x0000000003100000-0x000000000311C000-memory.dmp

Filesize
112KB

Download
memory/1956-15-0x000000001BCC0000-0x000000001BCCA000-memory.dmp

Filesize
40KB

Download
memory/1956-2-0x00007FF8E28C0000-0x00007FF8E3381000-memory.dmp

Filesize
10.8MB

Download
memory/4648-110-0x000001E89F720000-0x000001E89F742000-memory.dmp

Filesize
136KB

Download