Overview

overview

10

Static

static

10

18e83d9fab...3f.exe

windows7-x64

10

18e83d9fab...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe

  • Size

    2.5MB

  • MD5

    a26ed7dc21bc77f20c0251fa25738d02

  • SHA1

    8fc82929941d67a20c76976e796feab701795c2f

  • SHA256

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

  • SHA512

    5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

  • SSDEEP

    24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe
    "C:\Users\Admin\AppData\Local\Temp\18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g9kGVDPRqj.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4372
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1368
          • C:\Program Files (x86)\Reference Assemblies\conhost.exe
            "C:\Program Files (x86)\Reference Assemblies\conhost.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4612
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1884
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3136
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4720
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4152
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:664
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5088
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:384
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1632
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:388
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4696
                • C:\Program Files (x86)\Reference Assemblies\conhost.exe
                  "C:\Program Files (x86)\Reference Assemblies\conhost.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2376
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1428
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3236
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2364
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3660
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5084
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3300
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1252
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2260
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4368
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3672
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2924
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4SpLuGErS0.bat"
                    6⤵
                      PID:440
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        7⤵
                          PID:4620
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          7⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:972
                        • C:\Program Files (x86)\Reference Assemblies\conhost.exe
                          "C:\Program Files (x86)\Reference Assemblies\conhost.exe"
                          7⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4104
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1924
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2508
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:864
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4960
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3116
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4992
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2208
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1696
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2512
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2496
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5088
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4SpLuGErS0.bat"
                            8⤵
                              PID:4536
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                9⤵
                                  PID:3604
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  9⤵
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:4232
                                • C:\Program Files (x86)\Reference Assemblies\conhost.exe
                                  "C:\Program Files (x86)\Reference Assemblies\conhost.exe"
                                  9⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:228
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4948
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:404
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3984
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1560
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3936
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4980
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4368
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4264
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2096
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:916
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                    10⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4504
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rln2uypvqA.bat"
                                    10⤵
                                      PID:3504
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        11⤵
                                          PID:4004
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          11⤵
                                            PID:3852
                                          • C:\Program Files (x86)\Reference Assemblies\conhost.exe
                                            "C:\Program Files (x86)\Reference Assemblies\conhost.exe"
                                            11⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2156
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:2124
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:860
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:2624
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:2884
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:4740
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                              12⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2372
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                              12⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2996
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1808
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:3404
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:3096
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                              12⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:2240

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Recovery\WindowsRE\Registry.exe
                        Filesize

                        2.5MB

                        MD5

                        a26ed7dc21bc77f20c0251fa25738d02

                        SHA1

                        8fc82929941d67a20c76976e796feab701795c2f

                        SHA256

                        18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

                        SHA512

                        5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
                        Filesize

                        1KB

                        MD5

                        bbb951a34b516b66451218a3ec3b0ae1

                        SHA1

                        7393835a2476ae655916e0a9687eeaba3ee876e9

                        SHA256

                        eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                        SHA512

                        63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        d85ba6ff808d9e5444a4b369f5bc2730

                        SHA1

                        31aa9d96590fff6981b315e0b391b575e4c0804a

                        SHA256

                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                        SHA512

                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        6d42b6da621e8df5674e26b799c8e2aa

                        SHA1

                        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                        SHA256

                        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                        SHA512

                        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        d28a889fd956d5cb3accfbaf1143eb6f

                        SHA1

                        157ba54b365341f8ff06707d996b3635da8446f7

                        SHA256

                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                        SHA512

                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        bd5940f08d0be56e65e5f2aaf47c538e

                        SHA1

                        d7e31b87866e5e383ab5499da64aba50f03e8443

                        SHA256

                        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                        SHA512

                        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        cadef9abd087803c630df65264a6c81c

                        SHA1

                        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                        SHA256

                        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                        SHA512

                        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        7d9ecfe610b58440e18d2bffe5167d71

                        SHA1

                        7afeed064042ef5e614228f678a0c595699c3d84

                        SHA256

                        2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

                        SHA512

                        017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        b2551c57c4f442d3968db9a207cfd059

                        SHA1

                        38910649f3f651586477bf47640174ae4db1e8c2

                        SHA256

                        d37658614a272d600067784941dca04367d449085124833554557d60c2ddc4c4

                        SHA512

                        b48d4a9c465415ecd67ca98f3f1b8be163af87f301a145ceb6fe8a5806c777d4bf6e6040a5468f325561333c05dd4cd9b7c678fd434909e70761998d3a5335d6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        3bdf0f0bc4de32a6f32ecb8a32ba5df1

                        SHA1

                        900c6a905984e5e16f3efe01ce2b2cc725fc64f1

                        SHA256

                        c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

                        SHA512

                        680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        32b16440fab3a1055d9c22b90935bdfb

                        SHA1

                        ee350c4a65b81468487a3660dfe4f373660b9070

                        SHA256

                        ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

                        SHA512

                        5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        145039ee65251da29aa337556cab6c61

                        SHA1

                        5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

                        SHA256

                        26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

                        SHA512

                        d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        0fd3f36f28a947bdd05f1e05acf24489

                        SHA1

                        cf12e091a80740df2201c5b47049dd231c530ad3

                        SHA256

                        d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

                        SHA512

                        5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        e2efbfd23e33d8d07d019bdd9ca20649

                        SHA1

                        68d3b285c423d311bdf8dc53354f5f4000caf386

                        SHA256

                        f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

                        SHA512

                        b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        e59140d6693b6a0f6a8617b45bdef9fe

                        SHA1

                        7157a22b2533d10fe8ed91d2c5782b44c79bbcde

                        SHA256

                        baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

                        SHA512

                        117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        cbc41bceec6e8cf6d23f68d952487858

                        SHA1

                        f52edbceff042ded7209e8be90ec5e09086d62eb

                        SHA256

                        b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

                        SHA512

                        0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        f0a41fc9c1123bb127e55ecc66c8f052

                        SHA1

                        57152411758fa3df2623cc8a4df6d9fea73652f8

                        SHA256

                        a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745

                        SHA512

                        e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        17e45724e81fad9d4f4eda74fe6b349e

                        SHA1

                        0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

                        SHA256

                        444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

                        SHA512

                        c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        01fff31a70e26012f37789b179059e32

                        SHA1

                        555b6f05cce7daf46920df1c01eb5c55dc62c9e6

                        SHA256

                        adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

                        SHA512

                        ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        26403455115fbc3da2573a37cc28744a

                        SHA1

                        6a9bf407036a8b9d36313462c0257f53b4ee9170

                        SHA256

                        222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

                        SHA512

                        be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        a1008cfb29cdc25b4180c736ec404335

                        SHA1

                        39760fbcc8c1a64e856e98d61ce194d39b727438

                        SHA256

                        0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

                        SHA512

                        00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        46bf20e17dec660ef09b16e41372a7c3

                        SHA1

                        cf8daa89a45784a385b75cf5e90d3f59706ac5d5

                        SHA256

                        719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

                        SHA512

                        91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        fa08795ae46c89bc1c82975d1dba755e

                        SHA1

                        7bdd34e3643f1fa8b6e915370aa7b06f5c7422ff

                        SHA256

                        27635ffb2dab9c4c772f51ff03961d89eb0c0841e9011f78f173f677267e69ff

                        SHA512

                        005289af4d05e63bafe564ced158f47de36f3719ecf056c493623261cdbf5fb39280e70489ceb389cdabe4fa3a4b64a67bb6b6472907fdbcfa2a35e990a971ff

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        36c0eb4cc9fdffc5d2d368d7231ad514

                        SHA1

                        ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

                        SHA256

                        f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

                        SHA512

                        4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        3b444d3f0ddea49d84cc7b3972abe0e6

                        SHA1

                        0a896b3808e68d5d72c2655621f43b0b2c65ae02

                        SHA256

                        ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

                        SHA512

                        eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        e5663972c1caaba7088048911c758bf3

                        SHA1

                        3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

                        SHA256

                        9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

                        SHA512

                        ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        2d06ce10e4e5b9e174b5ebbdad300fad

                        SHA1

                        bcc1c231e22238cef02ae25331320060ada2f131

                        SHA256

                        87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

                        SHA512

                        38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        085e0a3b869f290afea5688a8ac4e7c5

                        SHA1

                        0fedef5057708908bcca9e7572be8f46cef4f3ca

                        SHA256

                        1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

                        SHA512

                        bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        672702f55e79800155f81b200ae32c11

                        SHA1

                        dfaaf4ad96e5d49d9f0cd36de2fe59cdda0e4a70

                        SHA256

                        69efe7d499bed2ebe41ecbf1d51fc326e191e0108bfc53f4f5700175e4588179

                        SHA512

                        b488290bf641d99120db2521489322b1e5552ba4868c732c6949105e5eef0902711ef896af4641075f6b66b4dcabc7bf8942ecf1d077e21b4cf005df73522368

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        150616521d490e160cd33b97d678d206

                        SHA1

                        71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

                        SHA256

                        94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

                        SHA512

                        7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\4SpLuGErS0.bat
                        Filesize

                        183B

                        MD5

                        b9726c1c3853dd3731cca1894ac0c490

                        SHA1

                        1c2fc3c903558ee0bc75f6bf472d34881032bdde

                        SHA256

                        96f2b5762da1a9154e169033f94e29e956452d01466d1e233f660e5cdd3165f8

                        SHA512

                        f9e00e0377b16d462abca91bd94c1187baf964db6e7b13ebafdce938d2f80d71ac5f08d9c6831f569867c88aadec831a1e4d26b7041d00dc12af6bc64d7a876e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agbbtr5n.zos.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\g9kGVDPRqj.bat
                        Filesize

                        231B

                        MD5

                        8af38a8e269dd061f29c1384c3119358

                        SHA1

                        b51f7d99f4809f08b0862be8129f3251507b77da

                        SHA256

                        60e9a3daa9572f1c657c5f89587485627bcb3291018101ce69b6cc0e8c1bfd39

                        SHA512

                        81bad4898c64ea67f2a2844f6128ccb701a45d81f7e94ee97a37855251f1f1dff5dda9a358f78192f48476cdfb6bb7ee78a1f4edb18cef6f3c6156a130235d68

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat
                        Filesize

                        183B

                        MD5

                        1373ac9bc1adf40028ffb4d4a4278ee5

                        SHA1

                        ee413e1e8c1aa9eee3f7f7298b41ed419e06a463

                        SHA256

                        db4f37cb9b0e06d2f7fc3b97a76d74dd020627a1f13b6043cbfe21f536a91ebd

                        SHA512

                        b504fee76607d6803be9deb7dac3a41c84dde9b388950c9b0627783bb33c20ce53c34f8cfdfc9094c21423eb77aa333ee21db6202b53a23ec1f4e5fc5c8802cd

                        Download Submit

                      • memory/228-839-0x000000001C5F0000-0x000000001C699000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/228-838-0x000000001C520000-0x000000001C5ED000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/228-840-0x000000001BF50000-0x000000001BFBB000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/228-848-0x000000001C520000-0x000000001C5ED000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/228-849-0x000000001C5F0000-0x000000001C699000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/228-850-0x000000001BF50000-0x000000001BFBB000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/1960-354-0x000000001C020000-0x000000001C0ED000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/1960-355-0x000000001C0F0000-0x000000001C199000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/1960-356-0x000000001BA50000-0x000000001BABB000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/1960-367-0x000000001BA50000-0x000000001BABB000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/1960-366-0x000000001C0F0000-0x000000001C199000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/1960-365-0x000000001C020000-0x000000001C0ED000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/2292-43-0x000000001BD40000-0x000000001BD4E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-25-0x000000001BAB0000-0x000000001BABE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-98-0x000000001C9D0000-0x000000001CA79000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/2292-94-0x000000001C900000-0x000000001C9CD000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/2292-1-0x0000000000D10000-0x0000000000FA2000-memory.dmp

                        Filesize

                        2.6MB

                        Download

                      • memory/2292-58-0x000000001BE70000-0x000000001BE88000-memory.dmp

                        Filesize

                        96KB

                        Download

                      • memory/2292-62-0x000000001BEE0000-0x000000001BF2E000-memory.dmp

                        Filesize

                        312KB

                        Download

                      • memory/2292-60-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2292-54-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-56-0x000000001BDD0000-0x000000001BDDE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-52-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-40-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/2292-50-0x000000001BE10000-0x000000001BE6A000-memory.dmp

                        Filesize

                        360KB

                        Download

                      • memory/2292-45-0x000000001BD50000-0x000000001BD60000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-47-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-48-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-41-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-0-0x00007FFBAD563000-0x00007FFBAD565000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2292-39-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-38-0x000000001BD80000-0x000000001BD92000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2292-36-0x000000001BD60000-0x000000001BD76000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2292-16-0x000000001BC40000-0x000000001BC58000-memory.dmp

                        Filesize

                        96KB

                        Download

                      • memory/2292-34-0x000000001BC80000-0x000000001BC90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-2-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-4-0x0000000003140000-0x0000000003166000-memory.dmp

                        Filesize

                        152KB

                        Download

                      • memory/2292-5-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-7-0x0000000003110000-0x000000000311E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-108-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-9-0x000000001BA90000-0x000000001BAAC000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2292-29-0x000000001BD20000-0x000000001BD32000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2292-30-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-32-0x000000001BC70000-0x000000001BC7C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2292-27-0x000000001BC60000-0x000000001BC6C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2292-23-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-22-0x000000001BAA0000-0x000000001BAAE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2292-20-0x000000001BA90000-0x000000001BAA0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-18-0x0000000003170000-0x0000000003180000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-13-0x0000000003120000-0x0000000003130000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2292-14-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2292-11-0x000000001BC90000-0x000000001BCE0000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/2292-10-0x000000001BA70000-0x000000001BA8C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2376-528-0x000000001C750000-0x000000001C7F9000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/2376-527-0x000000001C680000-0x000000001C74D000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/2376-529-0x000000001C0B0000-0x000000001C11B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/2376-517-0x000000001C680000-0x000000001C74D000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/2376-519-0x000000001C0B0000-0x000000001C11B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/2376-518-0x000000001C750000-0x000000001C7F9000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/3316-86-0x000001CEED950000-0x000001CEED972000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4104-688-0x000000001CAC0000-0x000000001CB8D000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/4104-690-0x000000001C4F0000-0x000000001C55B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4104-689-0x000000001CB90000-0x000000001CC39000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/4104-679-0x000000001CB90000-0x000000001CC39000-memory.dmp

                        Filesize

                        676KB

                        Download

                      • memory/4104-680-0x000000001C4F0000-0x000000001C55B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4104-678-0x000000001CAC0000-0x000000001CB8D000-memory.dmp

                        Filesize

                        820KB

                        Download