dcrat | 7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

Resubmissions

10-12-2024 18:26

241210-w3hysasrbz 10

10-12-2024 18:23

241210-w1la5axqgp 10

Analysis

max time kernel
13s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-12-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Size

1.7MB
MD5

89b97de873721b7f7c0e290f3009714a
SHA1

a497ecfd40010292888930dad8e90139555a53a1
SHA256

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2
SHA512

48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvX:eTHUxUoh1IF9gl2o

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	3900	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3900	schtasks.exe	80

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/4532-1-0x0000000000B20000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/files/0x002a00000004515e-45.dat	dcrat
behavioral1/files/0x002b0000000450c7-51.dat	dcrat
behavioral1/files/0x002a0000000450ca-61.dat	dcrat
behavioral1/files/0x002a0000000450cd-69.dat	dcrat
behavioral1/files/0x002c000000045173-77.dat	dcrat
behavioral1/files/0x002a0000000450d7-85.dat	dcrat
behavioral1/files/0x002a0000000450e2-93.dat	dcrat
behavioral1/files/0x002a0000000450f8-101.dat	dcrat
behavioral1/files/0x00300000000450fd-111.dat	dcrat
behavioral1/files/0x002a000000045103-119.dat	dcrat
behavioral1/files/0x002c000000045106-135.dat	dcrat
behavioral1/files/0x002900000004513a-282.dat	dcrat
behavioral1/memory/3612-284-0x0000000000D70000-0x0000000000F30000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
1080	powershell.exe
2624	powershell.exe
1484	powershell.exe
2768	powershell.exe
3248	powershell.exe
3368	powershell.exe
1820	powershell.exe
5112	powershell.exe
1476	powershell.exe
3628	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXA3AA.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\services.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXABC0.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Mozilla Firefox\fonts\services.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Mozilla Firefox\fonts\c5b4cb5e9653cc	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\ModifiableWindowsApps\MusNotification.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXA428.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXAB42.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\winlogon.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\38384e6a620884	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\RCXB2CA.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\RCXB338.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3000	schtasks.exe
4712	schtasks.exe
2740	schtasks.exe
1292	schtasks.exe
4224	schtasks.exe
4472	schtasks.exe
2620	schtasks.exe
744	schtasks.exe
544	schtasks.exe
380	schtasks.exe
1604	schtasks.exe
1968	schtasks.exe
1852	schtasks.exe
896	schtasks.exe
3388	schtasks.exe
4424	schtasks.exe
4396	schtasks.exe
2324	schtasks.exe
1192	schtasks.exe
3504	schtasks.exe
1208	schtasks.exe
572	schtasks.exe
1636	schtasks.exe
980	schtasks.exe
2948	schtasks.exe
2632	schtasks.exe
4708	schtasks.exe
548	schtasks.exe
1832	schtasks.exe
3848	schtasks.exe
4188	schtasks.exe
1480	schtasks.exe
3772	schtasks.exe
1836	schtasks.exe
4924	schtasks.exe
672	schtasks.exe
4968	schtasks.exe
4528	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1080	powershell.exe
1080	powershell.exe
3368	powershell.exe
3368	powershell.exe
1476	powershell.exe
1476	powershell.exe
1820	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2332	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	124
PID 4532 wrote to memory of 2332	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	124
PID 4532 wrote to memory of 1080	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	125
PID 4532 wrote to memory of 1080	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	125
PID 4532 wrote to memory of 5112	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	126
PID 4532 wrote to memory of 5112	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	126
PID 4532 wrote to memory of 2624	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	127
PID 4532 wrote to memory of 2624	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	127
PID 4532 wrote to memory of 1820	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	128
PID 4532 wrote to memory of 1820	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	128
PID 4532 wrote to memory of 3368	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	130
PID 4532 wrote to memory of 3368	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	130
PID 4532 wrote to memory of 3248	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	131
PID 4532 wrote to memory of 3248	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	131
PID 4532 wrote to memory of 2768	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	133
PID 4532 wrote to memory of 2768	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	133
PID 4532 wrote to memory of 1484	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	134
PID 4532 wrote to memory of 1484	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	134
PID 4532 wrote to memory of 3628	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	136
PID 4532 wrote to memory of 3628	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	136
PID 4532 wrote to memory of 1476	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	137
PID 4532 wrote to memory of 1476	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	137
PID 4532 wrote to memory of 3644	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	147
PID 4532 wrote to memory of 3644	4532	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	147
PID 3644 wrote to memory of 2328	3644	cmd.exe	150
PID 3644 wrote to memory of 2328	3644	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3aP7BHwCtO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2328
- - C:\Recovery\WindowsRE\dllhost.exe
    "C:\Recovery\WindowsRE\dllhost.exe"
    3⤵
    PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe

Filesize
1.7MB

MD5
cd5ee4dc0e018cf7647a76e8314bc044

SHA1
fdbcc26a0243a0e64fb43509b0ffffe65b3b3c30

SHA256
327c8eef68822ad7ef6bc5641444f8514cfd5f0cdaa905718d7a10f5ae7e0dd7

SHA512
c87ad628079e02bee9b6a397fa47374ec434531ee6c0b6a3164e5e422171eb1777c168a0d629173bd73de6e5cde20f7361eae3adf4e3a9aa01c8959973c5f31c

Download Submit
C:\Program Files\Mozilla Firefox\fonts\services.exe

Filesize
1.7MB

MD5
d8c082fc6bcd5e67aa79778077371e6d

SHA1
4923e5099139d6ed5d55580243407f41cd1484d8

SHA256
631064d3aba15198220d52601ec828eb8ecd005cfb72f8851e46f52d71b7eb70

SHA512
7bde45bcb92cf8f63851abd298426ccfe80408148ca4e52e0b370546e53165dd33c9b61c7a7a1abedded5182de363ab21f372a544e865d82e14116bb207bfba1

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.7MB

MD5
c9e440f4c387edba7f16e11193af5249

SHA1
0ef4b284620cc5af3727e5349759c0456bcc809f

SHA256
1ab5de564033dd2556e53107250a5c5d97b0ba45fac3f624b0fffa5cfa459f59

SHA512
9636d88bee26476227263cfdfee14f6614ec5f1692a7c4baab6a02dab64394e49bb9721bc76b339b6963cf0b4777ea2ffb08a5e841c6a95b7e0427ae708f4f2e

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.7MB

MD5
e51cbcf1232896a728dbffd9e600d42e

SHA1
01bfc33078b66af1c359c736a236b3c6eeb4c70d

SHA256
5296a7e00838930eac6158685a06f9406b2ace30c68fd17626f233920aee3540

SHA512
ceed4791848fd7d4a78c017eb560f80d3a931697b59f36e9e687fc61b8c2f1f4044822913288f900c80e5231290541e49aeb7c0af072c4dfbd7939bd89b914f3

Download Submit
C:\Recovery\WindowsRE\upfc.exe

Filesize
1.7MB

MD5
9b56134e5ff6e7bcb524e3f9075e0df1

SHA1
4dfb969aaec22ff46e7808cf2043900beb843f61

SHA256
1390b560abe514f68c24531a719754fc0e493f764d955dde33d7549197afe987

SHA512
2d454e0ac670c2c34296011a4bc3bdebabeb6034365b5e55818a9997c05e85bcff716161e08f586eb4a940bb3b14828b1f7ce35ed978f68e29d56a6011ecb672

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.7MB

MD5
8800c5680094b934935883857839fe81

SHA1
2575c1d45128ae824528eb8f1e9340244d852d4b

SHA256
9a364ca0794f31c26f182b30c9410c5845fd1637bb12547a76ce38be788b574f

SHA512
82b1223ad138007762684fa29d7c72103e8924946ca7e2dca2cfe1d95bc046f2e97c43abbc5ceed4db9461677d493ebd41d2ae58149589b2ddd3b5d458b47587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0731f5760fdaec554ebeac92c5b858a

SHA1
4ac0a7f4cac1a8993d8d2e41490519b203272aec

SHA256
994163ee07fb3c0657229e7adbe8e3468d8f134c607552668a48660f70067e2e

SHA512
7fdbf4c8b22f2a36b32212dc41c5379496c8a4a670a6b13eeac02ebfbc394035ff25a8d79ae0a16c4f5f22bd5f59a141bb5774ba5439d1894e5363b3214dde33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84063c0d1d9aae057e1c424279a859b9

SHA1
267a2c5851b5da21dea746f0417dd4b33f051a31

SHA256
8efb3b1ffff11a06d7fc95530ea8eb260de51e72cfb457cf10a6fd34c8d20ed8

SHA512
ed878d9e9632e0f9ca2a644a86dd142eb91ea74403e5829dd159f225b7230b48314d52f783aff3e80180815f95cb7daebfdc0a89e4d93eb233aebb53ebc7f111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aP7BHwCtO.bat

Filesize
198B

MD5
a8b45237c47a4db3c1a019c51a5c1d4d

SHA1
f915006e3089f5a10111a3d2d59df4342192b8e2

SHA256
e44792c2335d586fded184cc374d27c0d77cc8c53eabb9fc30764f5d3963b11f

SHA512
992acbf13b04187ad0b17d5822a94321f43a56f4b927ebaaccbc26974b1e3ede95341380f89ce9ddf4a491b701606f828d72549fd7d0063f2c2c6b86324912bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bakcaolc.ju0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
1.7MB

MD5
d1648b6fe3093b81c9353e08ec92629d

SHA1
cb54e147b1fd9811b76b0eb8d1a00f18fbf2bb52

SHA256
46beadce414c209c34241113a407a533e93397f2c4c3c08fe3dd7d502f1392e9

SHA512
501232c81c5d47b0ec348824ba94bcf62b0ce7a2839e991bb8488bb07ec5d4e2c5b91776f43f1bb75161b9e172b2d81a93c9576210985ad146388a23b2effa93

Download Submit
C:\Users\Admin\Pictures\fontdrvhost.exe

Filesize
1.7MB

MD5
6738cb908f68106b04755c91dc48b9e2

SHA1
f4ab4796856fb9b826bd14d713a99bcb528d00aa

SHA256
c829be8120103293aa498a2c239d4c9baf758684a8f1e53f6d905ff4334aaef1

SHA512
2191e9736d49801f9d5492881e84377842fc1708098cce4a5fb22a3e0e34f65e2c76a329461cd3c8dad358f7dca0882b3e32f92941f783083a495bb695cd78c9

Download Submit
C:\Users\Default\RuntimeBroker.exe

Filesize
1.7MB

MD5
7b4958b74ac3e49d0e2ef8b86720f7db

SHA1
4ddecb4048b5763914e7c924bcea4b97863af2ac

SHA256
b6af23c3ff9d4f5312242b9bde4e719ef8266f88e0695c00427b04b3ad512e7b

SHA512
4580dbc5ff8eb4531abd21784d7681cd15367f18199b5ee29348a21d750f88c310d197da4c1a15a95a4b0279a166fe89d8a1c3463b02888733d0e20e7ed297d9

Download Submit
C:\Users\Default\sihost.exe

Filesize
1.7MB

MD5
eb7ac3c5cb2035f3b02975023b262e23

SHA1
189d4b4afb2fd98880040bfcbdc825ea034be6b1

SHA256
7fe81f0b13edae742cc1d128b0ce664f599512f7693a1b27ec51f785ff9498b8

SHA512
3460e45980ed09fb0045b86a8ffef5a7fcacddb7e1094507c5ce7a4f2c355ebbefaca8bfb628d6029914f7bb507fdece72fb4acc7c846ba6514cf348e05d1a10

Download Submit
C:\Users\Public\Pictures\dwm.exe

Filesize
1.7MB

MD5
be5646b7afdf2cf21e01bdfc19a4f6ea

SHA1
bfd5d45d47ebe92a48ab46be4dd84082e942cf11

SHA256
62f35c029f18d1b37ecf31b492d14e98a37824969cd1c8aee07b0b1223eb07dc

SHA512
cc4bf42f3f0f6421bdbb180acc5e8baff3cf2ca185d9d5588adfb346b75cf7a4a5035db99ee29d740ed5736ab53286a5c7c1029491306a2d0967031b37c67f5a

Download Submit
C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\SearchApp.exe

Filesize
1.7MB

MD5
66ab1f70dc1ba4a783374ca424b7e11d

SHA1
63d0569b560dc26ec272a02a68590f9338da0f3b

SHA256
9c8aebf66e88e752b37d959848cbfc49a060fb18d910623588cb03888a5fc698

SHA512
5b41e2ce5fb8419595a1bdf5d0426196d6317e247812d81a70bfa140118a31245f06a0e338e060d9693aa3b81247f2b1595398279c2a2c9b0ab6965e567e08a2

Download Submit
memory/1080-157-0x000002A9920F0000-0x000002A992112000-memory.dmp

Filesize
136KB

Download
memory/3612-284-0x0000000000D70000-0x0000000000F30000-memory.dmp

Filesize
1.8MB

Download
memory/4532-12-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/4532-0-0x00007FFA86993000-0x00007FFA86995000-memory.dmp

Filesize
8KB

Download
memory/4532-21-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-19-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/4532-16-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/4532-17-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/4532-18-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/4532-13-0x000000001C780000-0x000000001CCA8000-memory.dmp

Filesize
5.2MB

Download
memory/4532-104-0x00007FFA86993000-0x00007FFA86995000-memory.dmp

Filesize
8KB

Download
memory/4532-105-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-15-0x000000001C370000-0x000000001C37A000-memory.dmp

Filesize
40KB

Download
memory/4532-14-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/4532-129-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-22-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-146-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-10-0x0000000002E70000-0x0000000002E78000-memory.dmp

Filesize
32KB

Download
memory/4532-156-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-9-0x0000000002E60000-0x0000000002E6C000-memory.dmp

Filesize
48KB

Download
memory/4532-7-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/4532-8-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4532-3-0x0000000002DF0000-0x0000000002E0C000-memory.dmp

Filesize
112KB

Download
memory/4532-4-0x000000001B990000-0x000000001B9E0000-memory.dmp

Filesize
320KB

Download
memory/4532-5-0x0000000001590000-0x0000000001598000-memory.dmp

Filesize
32KB

Download
memory/4532-6-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/4532-2-0x00007FFA86990000-0x00007FFA87452000-memory.dmp

Filesize
10.8MB

Download
memory/4532-1-0x0000000000B20000-0x0000000000CE0000-memory.dmp

Filesize
1.8MB

Download