dcrat | fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

Analysis

max time kernel
96s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4667f5be1002ce912e5590cca8da93b6.exe
Size

1.5MB
MD5

4667f5be1002ce912e5590cca8da93b6
SHA1

2e408e483dd447b69d2e938218989265fbfdc2af
SHA256

fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
SHA512

cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f
SSDEEP

24576:YvpWPh9nUNea6cQ/VUPoF/VPwrEDgbqeFrQqvvlsDJ+drpDn3fQK/759qiuiMjTP:+W8NA/VUPoFVwrIIV+DJGfZ19qig

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	1436	schtasks.exe	82

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4667f5be1002ce912e5590cca8da93b6.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/396-1-0x0000000000D50000-0x0000000000EDE000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbe-27.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1668	powershell.exe
4008	powershell.exe
816	powershell.exe
2520	powershell.exe
2016	powershell.exe
4392	powershell.exe
2940	powershell.exe
376	powershell.exe
3116	powershell.exe
4476	powershell.exe
4744	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4667f5be1002ce912e5590cca8da93b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 2 IoCs

pid	Process
4448	System.exe
3236	System.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\e6c9b481da804f	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\f3b6ecef712a24	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	4667f5be1002ce912e5590cca8da93b6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Windows Portable Devices\unsecapp.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Windows Portable Devices\29c1c3cc0f7685	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\29c1c3cc0f7685	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Uninstall Information\OfficeClickToRun.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Windows Multimedia Platform\4667f5be1002ce912e5590cca8da93b6.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Windows Multimedia Platform\f0291363749e5e	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files\Uninstall Information\e6c9b481da804f	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\unsecapp.exe	4667f5be1002ce912e5590cca8da93b6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\tasks\upfc.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Windows\Globalization\Sorting\System.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Windows\Globalization\Sorting\27d1bcfc3c54e0	4667f5be1002ce912e5590cca8da93b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4608	schtasks.exe
4524	schtasks.exe
3144	schtasks.exe
3220	schtasks.exe
2424	schtasks.exe
4108	schtasks.exe
3708	schtasks.exe
3952	schtasks.exe
3008	schtasks.exe
1980	schtasks.exe
3852	schtasks.exe
1132	schtasks.exe
924	schtasks.exe
1872	schtasks.exe
5060	schtasks.exe
1376	schtasks.exe
532	schtasks.exe
3184	schtasks.exe
3776	schtasks.exe
544	schtasks.exe
4052	schtasks.exe
4032	schtasks.exe
4456	schtasks.exe
940	schtasks.exe
1816	schtasks.exe
3232	schtasks.exe
392	schtasks.exe
1592	schtasks.exe
4332	schtasks.exe
516	schtasks.exe
244	schtasks.exe
3264	schtasks.exe
3148	schtasks.exe
3108	schtasks.exe
5100	schtasks.exe
3964	schtasks.exe
5072	schtasks.exe
2416	schtasks.exe
2148	schtasks.exe
2224	schtasks.exe
2544	schtasks.exe
3132	schtasks.exe
676	schtasks.exe
3772	schtasks.exe
3344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
396	4667f5be1002ce912e5590cca8da93b6.exe
376	powershell.exe
376	powershell.exe
4008	powershell.exe
4008	powershell.exe
2016	powershell.exe
2016	powershell.exe
1668	powershell.exe
1668	powershell.exe
4392	powershell.exe
4392	powershell.exe
2940	powershell.exe
2940	powershell.exe
2520	powershell.exe
2520	powershell.exe
816	powershell.exe
816	powershell.exe
4476	powershell.exe
4476	powershell.exe
4744	powershell.exe
4744	powershell.exe
376	powershell.exe
3116	powershell.exe
3116	powershell.exe
816	powershell.exe
3116	powershell.exe
4448	System.exe
4448	System.exe
4448	System.exe
4448	System.exe
4744	powershell.exe
4008	powershell.exe
2520	powershell.exe
1668	powershell.exe
2016	powershell.exe
4392	powershell.exe
2940	powershell.exe
4476	powershell.exe
4448	System.exe
4448	System.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	4667f5be1002ce912e5590cca8da93b6.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4448	System.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	3236	System.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3116	396	4667f5be1002ce912e5590cca8da93b6.exe	128
PID 396 wrote to memory of 3116	396	4667f5be1002ce912e5590cca8da93b6.exe	128
PID 396 wrote to memory of 2016	396	4667f5be1002ce912e5590cca8da93b6.exe	129
PID 396 wrote to memory of 2016	396	4667f5be1002ce912e5590cca8da93b6.exe	129
PID 396 wrote to memory of 4392	396	4667f5be1002ce912e5590cca8da93b6.exe	130
PID 396 wrote to memory of 4392	396	4667f5be1002ce912e5590cca8da93b6.exe	130
PID 396 wrote to memory of 2940	396	4667f5be1002ce912e5590cca8da93b6.exe	131
PID 396 wrote to memory of 2940	396	4667f5be1002ce912e5590cca8da93b6.exe	131
PID 396 wrote to memory of 376	396	4667f5be1002ce912e5590cca8da93b6.exe	132
PID 396 wrote to memory of 376	396	4667f5be1002ce912e5590cca8da93b6.exe	132
PID 396 wrote to memory of 4476	396	4667f5be1002ce912e5590cca8da93b6.exe	133
PID 396 wrote to memory of 4476	396	4667f5be1002ce912e5590cca8da93b6.exe	133
PID 396 wrote to memory of 4744	396	4667f5be1002ce912e5590cca8da93b6.exe	134
PID 396 wrote to memory of 4744	396	4667f5be1002ce912e5590cca8da93b6.exe	134
PID 396 wrote to memory of 1668	396	4667f5be1002ce912e5590cca8da93b6.exe	135
PID 396 wrote to memory of 1668	396	4667f5be1002ce912e5590cca8da93b6.exe	135
PID 396 wrote to memory of 4008	396	4667f5be1002ce912e5590cca8da93b6.exe	136
PID 396 wrote to memory of 4008	396	4667f5be1002ce912e5590cca8da93b6.exe	136
PID 396 wrote to memory of 816	396	4667f5be1002ce912e5590cca8da93b6.exe	137
PID 396 wrote to memory of 816	396	4667f5be1002ce912e5590cca8da93b6.exe	137
PID 396 wrote to memory of 2520	396	4667f5be1002ce912e5590cca8da93b6.exe	138
PID 396 wrote to memory of 2520	396	4667f5be1002ce912e5590cca8da93b6.exe	138
PID 396 wrote to memory of 4448	396	4667f5be1002ce912e5590cca8da93b6.exe	149
PID 396 wrote to memory of 4448	396	4667f5be1002ce912e5590cca8da93b6.exe	149
PID 4448 wrote to memory of 3920	4448	System.exe	151
PID 4448 wrote to memory of 3920	4448	System.exe	151
PID 4448 wrote to memory of 4944	4448	System.exe	152
PID 4448 wrote to memory of 4944	4448	System.exe	152
PID 3920 wrote to memory of 3236	3920	WScript.exe	156
PID 3920 wrote to memory of 3236	3920	WScript.exe	156

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4667f5be1002ce912e5590cca8da93b6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4667f5be1002ce912e5590cca8da93b6.exe
"C:\Users\Admin\AppData\Local\Temp\4667f5be1002ce912e5590cca8da93b6.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\Globalization\Sorting\System.exe
  "C:\Windows\Globalization\Sorting\System.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4448
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a3879c6-af00-483f-adbb-39ca4d170817.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\Globalization\Sorting\System.exe
      C:\Windows\Globalization\Sorting\System.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36d29646-4af8-4688-a8b3-e8f215dc636e.vbs"
    3⤵
    PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4667f5be1002ce912e5590cca8da93b64" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\4667f5be1002ce912e5590cca8da93b6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4667f5be1002ce912e5590cca8da93b6" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\4667f5be1002ce912e5590cca8da93b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4667f5be1002ce912e5590cca8da93b64" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\4667f5be1002ce912e5590cca8da93b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Sorting\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Sorting\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\4667f5be1002ce912e5590cca8da93b6.exe

Filesize
1.5MB

MD5
4667f5be1002ce912e5590cca8da93b6

SHA1
2e408e483dd447b69d2e938218989265fbfdc2af

SHA256
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

SHA512
cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d8567f2d1c8a09bbfe613145bf78577

SHA1
f2af10d629e6d7d2ecec76c34bd755ecf61be931

SHA256
7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

SHA512
89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d29646-4af8-4688-a8b3-e8f215dc636e.vbs

Filesize
495B

MD5
39087a12efb15d89d582a0431a9e118f

SHA1
0813a7f60c2e4c166f70d6790dea509e9df18ea2

SHA256
d2fa343b1be7761775aa48b6c8d8192de05ed7c0022e14f9d0f93bac30529118

SHA512
79e142f5475e5038b75d605e8a9b3566f1e90da9979cdcc1845395aa653f36de2fa46db0c5ab9bb3ddcce1409d8240bcc0f28b5b072f55f8f4c37bc01ad8240f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a3879c6-af00-483f-adbb-39ca4d170817.vbs

Filesize
719B

MD5
3708df5c5cd8dbac34113497757bb6b4

SHA1
dc6a7c617f6f60522f47c9e4f780be09a6050a67

SHA256
096309409309d7912854b9db3ce36e199abdabda065980baaa16e34b29711ca6

SHA512
8113668d27afaad8588ea0f9df0d237de6db43f1a768c74b949ddba40ce09b20746689756cceb32a39cf2a5addad8e0e755eaf1cefac9854549b74960bc3ae04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieb0xayd.11n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-8-0x0000000001890000-0x000000000189C000-memory.dmp

Filesize
48KB

Download
memory/396-14-0x0000000003310000-0x000000000331C000-memory.dmp

Filesize
48KB

Download
memory/396-19-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/396-12-0x0000000003180000-0x000000000318E000-memory.dmp

Filesize
56KB

Download
memory/396-11-0x0000000003170000-0x000000000317A000-memory.dmp

Filesize
40KB

Download
memory/396-10-0x00000000018B0000-0x00000000018BC000-memory.dmp

Filesize
48KB

Download
memory/396-20-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/396-15-0x0000000003360000-0x0000000003368000-memory.dmp

Filesize
32KB

Download
memory/396-60-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/396-1-0x0000000000D50000-0x0000000000EDE000-memory.dmp

Filesize
1.6MB

Download
memory/396-13-0x0000000003300000-0x0000000003308000-memory.dmp

Filesize
32KB

Download
memory/396-16-0x0000000003370000-0x000000000337C000-memory.dmp

Filesize
48KB

Download
memory/396-9-0x00000000018A0000-0x00000000018A8000-memory.dmp

Filesize
32KB

Download
memory/396-0-0x00007FF9D5903000-0x00007FF9D5905000-memory.dmp

Filesize
8KB

Download
memory/396-7-0x0000000001880000-0x000000000188C000-memory.dmp

Filesize
48KB

Download
memory/396-4-0x00000000032B0000-0x0000000003300000-memory.dmp

Filesize
320KB

Download
memory/396-5-0x0000000001850000-0x0000000001866000-memory.dmp

Filesize
88KB

Download
memory/396-6-0x0000000001870000-0x000000000187A000-memory.dmp

Filesize
40KB

Download
memory/396-3-0x0000000001580000-0x000000000159C000-memory.dmp

Filesize
112KB

Download
memory/396-2-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-66-0x000001E2EEDC0000-0x000001E2EEDE2000-memory.dmp

Filesize
136KB

Download