dcrat | 240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84

Analysis

max time kernel
118s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Size

1.7MB
MD5

50699c5914ac35c234c6b67e35dc8db0
SHA1

e563907f1f99293ef2e71b8beb673e7e4404ee5a
SHA256

240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84
SHA512

081a456d5dfc28a833558b0fb9ed23f8b1196016f92937091db02a898a71724c2871c7f909eae3d35d6e4f8cf646e3f6cf4cb6191bc25820beeaab4737506a1b
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1884	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1884	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2924-1-0x00000000004C0000-0x0000000000680000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b88-30.dat	dcrat
behavioral2/files/0x000c000000023b76-54.dat	dcrat
behavioral2/files/0x000d000000023b76-64.dat	dcrat
behavioral2/files/0x000e000000023b7c-95.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe
2780	powershell.exe
5096	powershell.exe
3160	powershell.exe
1248	powershell.exe
1264	powershell.exe
4868	powershell.exe
116	powershell.exe
708	powershell.exe
3468	powershell.exe
3512	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 8 IoCs

pid	Process
4072	sihost.exe
4760	sihost.exe
1192	sihost.exe
3964	sihost.exe
2664	sihost.exe
3164	sihost.exe
1756	sihost.exe
4860	sihost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\RCX9FA2.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXA777.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files\Windows Mail\9e8d7a4ca61bd9	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\0a1fd5f707cd16	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXA4E5.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXA778.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files\Windows Mail\RuntimeBroker.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9FA1.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files\Windows Mail\RuntimeBroker.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXA563.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\c5b4cb5e9653cc	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\uk-UA\Registry.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Windows\uk-UA\ee2ad38f3d4382	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\uk-UA\RCX9A8C.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\uk-UA\RCX9B1A.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Windows\uk-UA\Registry.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3176	schtasks.exe
4980	schtasks.exe
4168	schtasks.exe
2064	schtasks.exe
1320	schtasks.exe
3028	schtasks.exe
1724	schtasks.exe
4432	schtasks.exe
1428	schtasks.exe
2692	schtasks.exe
680	schtasks.exe
2744	schtasks.exe
4172	schtasks.exe
4952	schtasks.exe
4756	schtasks.exe
3228	schtasks.exe
2328	schtasks.exe
2536	schtasks.exe
4360	schtasks.exe
876	schtasks.exe
4444	schtasks.exe
4032	schtasks.exe
1484	schtasks.exe
2772	schtasks.exe
2996	schtasks.exe
244	schtasks.exe
5104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
708	powershell.exe
116	powershell.exe
708	powershell.exe
116	powershell.exe
3160	powershell.exe
3160	powershell.exe
1248	powershell.exe
1248	powershell.exe
1264	powershell.exe
1264	powershell.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
3512	powershell.exe
3512	powershell.exe
5096	powershell.exe
5096	powershell.exe
4544	powershell.exe
4544	powershell.exe
3468	powershell.exe
3468	powershell.exe
2780	powershell.exe
2780	powershell.exe
708	powershell.exe
4868	powershell.exe
4868	powershell.exe
3468	powershell.exe
5096	powershell.exe
1248	powershell.exe
116	powershell.exe
1264	powershell.exe
2780	powershell.exe
3160	powershell.exe
4544	powershell.exe
3512	powershell.exe
4868	powershell.exe
4072	sihost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4072	sihost.exe
Token: SeDebugPrivilege	4760	sihost.exe
Token: SeDebugPrivilege	1192	sihost.exe
Token: SeDebugPrivilege	3964	sihost.exe
Token: SeDebugPrivilege	2664	sihost.exe
Token: SeDebugPrivilege	3164	sihost.exe
Token: SeDebugPrivilege	1756	sihost.exe
Token: SeDebugPrivilege	4860	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 116	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	110
PID 2924 wrote to memory of 116	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	110
PID 2924 wrote to memory of 4544	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	111
PID 2924 wrote to memory of 4544	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	111
PID 2924 wrote to memory of 4868	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	112
PID 2924 wrote to memory of 4868	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	112
PID 2924 wrote to memory of 3512	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	113
PID 2924 wrote to memory of 3512	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	113
PID 2924 wrote to memory of 1264	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	114
PID 2924 wrote to memory of 1264	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	114
PID 2924 wrote to memory of 1248	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	115
PID 2924 wrote to memory of 1248	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	115
PID 2924 wrote to memory of 3160	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	116
PID 2924 wrote to memory of 3160	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	116
PID 2924 wrote to memory of 5096	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	118
PID 2924 wrote to memory of 5096	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	118
PID 2924 wrote to memory of 2780	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	120
PID 2924 wrote to memory of 2780	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	120
PID 2924 wrote to memory of 3468	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	121
PID 2924 wrote to memory of 3468	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	121
PID 2924 wrote to memory of 708	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	122
PID 2924 wrote to memory of 708	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	122
PID 2924 wrote to memory of 4500	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	132
PID 2924 wrote to memory of 4500	2924	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	132
PID 4500 wrote to memory of 2212	4500	cmd.exe	134
PID 4500 wrote to memory of 2212	4500	cmd.exe	134
PID 4500 wrote to memory of 4072	4500	cmd.exe	135
PID 4500 wrote to memory of 4072	4500	cmd.exe	135
PID 4072 wrote to memory of 1332	4072	sihost.exe	139
PID 4072 wrote to memory of 1332	4072	sihost.exe	139
PID 4072 wrote to memory of 1564	4072	sihost.exe	140
PID 4072 wrote to memory of 1564	4072	sihost.exe	140
PID 1332 wrote to memory of 4760	1332	WScript.exe	144
PID 1332 wrote to memory of 4760	1332	WScript.exe	144
PID 4760 wrote to memory of 2412	4760	sihost.exe	145
PID 4760 wrote to memory of 2412	4760	sihost.exe	145
PID 4760 wrote to memory of 64	4760	sihost.exe	146
PID 4760 wrote to memory of 64	4760	sihost.exe	146
PID 2412 wrote to memory of 1192	2412	WScript.exe	149
PID 2412 wrote to memory of 1192	2412	WScript.exe	149
PID 1192 wrote to memory of 4088	1192	sihost.exe	150
PID 1192 wrote to memory of 4088	1192	sihost.exe	150
PID 1192 wrote to memory of 4976	1192	sihost.exe	151
PID 1192 wrote to memory of 4976	1192	sihost.exe	151
PID 4088 wrote to memory of 3964	4088	WScript.exe	152
PID 4088 wrote to memory of 3964	4088	WScript.exe	152
PID 3964 wrote to memory of 1696	3964	sihost.exe	153
PID 3964 wrote to memory of 1696	3964	sihost.exe	153
PID 3964 wrote to memory of 2560	3964	sihost.exe	154
PID 3964 wrote to memory of 2560	3964	sihost.exe	154
PID 1696 wrote to memory of 2664	1696	WScript.exe	155
PID 1696 wrote to memory of 2664	1696	WScript.exe	155
PID 2664 wrote to memory of 4172	2664	sihost.exe	156
PID 2664 wrote to memory of 4172	2664	sihost.exe	156
PID 2664 wrote to memory of 2564	2664	sihost.exe	157
PID 2664 wrote to memory of 2564	2664	sihost.exe	157
PID 4172 wrote to memory of 3164	4172	WScript.exe	158
PID 4172 wrote to memory of 3164	4172	WScript.exe	158
PID 3164 wrote to memory of 3656	3164	sihost.exe	159
PID 3164 wrote to memory of 3656	3164	sihost.exe	159
PID 3164 wrote to memory of 3144	3164	sihost.exe	160
PID 3164 wrote to memory of 3144	3164	sihost.exe	160
PID 3656 wrote to memory of 1756	3656	WScript.exe	161
PID 3656 wrote to memory of 1756	3656	WScript.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
"C:\Users\Admin\AppData\Local\Temp\240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZuYpZxcK9c.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2212
- - C:\Users\Default\PrintHood\sihost.exe
    "C:\Users\Default\PrintHood\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a738fa0-a152-4c94-bb78-7afd84b1e98b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d82b3d1-e1e0-49a1-96bb-e13fc08bd717.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325ee4a0-e199-4ff6-97e0-9cb514999c49.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21313a50-f2ec-4f14-8a01-36de5f59058d.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb728d63-482b-4b90-8d90-1601ce07c460.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b48c0932-918d-4697-bdec-333d9a37cdf2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46e3bc8-69fb-4927-9f81-ea789e0055cb.vbs"
        16⤵
        
        PID:2716
        
        C:\Users\Default\PrintHood\sihost.exe
        
        C:\Users\Default\PrintHood\sihost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e98f390-7485-46aa-a7e1-aafbced2eeef.vbs"
        18⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\457179c7-8c6b-4e5c-a048-18ad16072355.vbs"
        18⤵
        
        PID:644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cf881dd-ebeb-498a-8043-4406ec5981d4.vbs"
        16⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17d5e87-8296-4ad8-be33-17ad3c474301.vbs"
        14⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a964b06-f8fd-4091-a104-c9c596d0e250.vbs"
        12⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3680ccd-dde9-4a3c-b01b-52788dc1982d.vbs"
        10⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef7fada-6568-4860-b7d8-249f4282aa4d.vbs"
        8⤵
        
        PID:4976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d544fd-2963-458e-a9e5-63233b88ccb2.vbs"
        6⤵
        
        PID:64
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f50a2726-cf1b-4a91-b0d0-a301c4896ecb.vbs"
      4⤵
      PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe

Filesize
1.7MB

MD5
50699c5914ac35c234c6b67e35dc8db0

SHA1
e563907f1f99293ef2e71b8beb673e7e4404ee5a

SHA256
240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84

SHA512
081a456d5dfc28a833558b0fb9ed23f8b1196016f92937091db02a898a71724c2871c7f909eae3d35d6e4f8cf646e3f6cf4cb6191bc25820beeaab4737506a1b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\services.exe

Filesize
1.7MB

MD5
11326be174bf7ffda4cd551dbea5f860

SHA1
f477bcbf59d0f9c45287b1ce0ee58679f2381de9

SHA256
183c1328b52758328bece774cab86ceda985619a2cd5b523f6083681c7adb3cc

SHA512
5fc24b12d85186cef503e50edbfdbe6cebdcccaeb0a83d7de0d0e52bddfc9036ed2e24a579e2da93c11a0df3fe86220a47f038f12c7dcb56f5010faa4f8107bd

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
1.7MB

MD5
30d91274d5e609b4ad8ac41bbb26d40c

SHA1
1702fff30d44dad304d89ada693eb0f55b2b66a9

SHA256
4b4127e663209ff8eca771a38e4129321927707bddaea2973e52f57217613cf8

SHA512
0b530e4bd577664d22edea5fb708529c40a3b104949fbdb95d0af3b5dc7d5b7d7de126b36c33c5aea3b00fd187e84d9d9d12b44179b767f1787455aa6979c46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\21313a50-f2ec-4f14-8a01-36de5f59058d.vbs

Filesize
713B

MD5
fa87a379c9cd2365c8409fd7891831e5

SHA1
31045fb14de579b684d7b2221c5866b0a840a64c

SHA256
0459dadaa7a7753b2d11268a429997a5ea8f2a648b5ef1adb3e1e117f4ad6ddb

SHA512
54d724887d3f743f89dc2af43eb9742d3e5bce16ad51b4f520dacb0b349319420a9070b0be604307231af6e32666b05a1fca6834cd148b0714c4948a7717a6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\325ee4a0-e199-4ff6-97e0-9cb514999c49.vbs

Filesize
713B

MD5
37049a2297b52e4f77008a38f3e56b36

SHA1
2e417974fb4624246333b0f029cfbe726b523bf8

SHA256
9be328e6d8d644bbd1bb1f5b3c8f49d45fb9f15ecc198b8d386e7b2930202d68

SHA512
d4cc647ab7f5cc2507683b90953d1afc78504a23954b67484e1c09b2024ba21ee0f2eed2275dff795319e7c3f0574c33287920623e8a29e0f02b81bb4f80720d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e98f390-7485-46aa-a7e1-aafbced2eeef.vbs

Filesize
713B

MD5
d1d2eaf0fbfe1545ad075fc5f1652475

SHA1
0086082af7bc38c33dd258f4f1281922f7581208

SHA256
86e50ccc7d7839a21de28a28c7900b919945dd15317e6f70803bf5a78a7a9d69

SHA512
c5cc993ef2ba5a050b0aeea6b93615e037aea2e36d91dda23bcbdc9e85176a23d8df928c72bc9a4b70a5585b182d93019ae81a943498e6526aaad18b49e92f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a738fa0-a152-4c94-bb78-7afd84b1e98b.vbs

Filesize
713B

MD5
918a26018bafc52eb0d2a6074c66ee93

SHA1
d1da4658a78c984215cc313a891f029b03444d4a

SHA256
6a75fafdc6b1fcbaedb0aecddc2c072247b0fe12fc92569c8febc09d3f076598

SHA512
3bb05d9838720e7b15f9bc41b51873f50dc318cf584d2279cb087953332c9756b0d8eac60f800da0709ba22f3bf37239d19acdb7d847a32654bd629ebdbdb0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d82b3d1-e1e0-49a1-96bb-e13fc08bd717.vbs

Filesize
713B

MD5
69d58f29fb90e90c3d1c30c28b385548

SHA1
8c274e8d585dae1b0a9ec028249e01eaffae6f0f

SHA256
30217cab7cdd1f6d16ba09be8aecf4cc4a3f46909721a456124017cd15f8056d

SHA512
79ebe0b4c1993f8b16815fe93484a084077c819e0e9108633eff53ec588c0af42f26712c091a56d3285bf6438a3b3e91bb5d50a811e7c2e0a51af3512064d39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuYpZxcK9c.bat

Filesize
202B

MD5
55889a65127067dd19351637e41ea4b0

SHA1
cd679c59fc86179ee3d8d99b58ad5069ee1fc70a

SHA256
6d7fae678be1930a31894532af43f570ace743a863e5fa7b00203b27871ca424

SHA512
b0215742529301765147ccad2db2162d217716b247b81a698fc6948f0593f1f919ba0b8374356650b4a7b87076caf8dbacc6439126cd45a3b47d8de58b4314d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twqusgsn.gwb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b48c0932-918d-4697-bdec-333d9a37cdf2.vbs

Filesize
713B

MD5
6f0ffa0bec502678851a8f0f0cb574ac

SHA1
658db6090d6cabc8e3506a5d3e2f915f109dbf89

SHA256
1243dad24d4b70dd4ec0dec2a0acbeb764652d682856a7a15b81be799b76c3a8

SHA512
8890029d9c7cbdf019e9dd5ba0f767c316df8daca34f1f7d794c064c8f45751c60fa226750f0060bea2536a9a3f562faa1d97e1dbf78187caa58b9a4fc3838b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb728d63-482b-4b90-8d90-1601ce07c460.vbs

Filesize
713B

MD5
ddf9cc2e9e24e9299961c861310e7f93

SHA1
1bc6e5cdcceb06dc56c461b21970492fc6c4f0f9

SHA256
2a6183eedb81518c9dd116a8b868d0adf78ef3b09f62753fa991bbed615134c2

SHA512
07e9c9f6f501be27f5d1c8053b59049cd7a8dc51ffd2720e488b895689d1bb57f513b78076ee0cb6f36f61c4a2bf2e0112f44a49070bed155ce36d096e05f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\f46e3bc8-69fb-4927-9f81-ea789e0055cb.vbs

Filesize
713B

MD5
783735b903e3f1a93ffb54e5f9f76fa5

SHA1
de5312972244bc57e6b180d70717ef93b93d3de7

SHA256
2d56357084f963bdec71779afc8a4fdc52c3e1f920fc17dfabd0ac3f18769a11

SHA512
c8687d4d4dab4e3f5929b01739d24c5484a2650cfbff740af1e6e1d391f2e2c4945c3bba481197e4ecdc086e21323765ad7d098b200a03717f7e2e3d7d7d568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f50a2726-cf1b-4a91-b0d0-a301c4896ecb.vbs

Filesize
489B

MD5
fd454139cf12c8d19bed0df2f6ec17b9

SHA1
647a4fe8ca457ab3d831591959a543d0bbc60bae

SHA256
5d104b5413a23b4330ed3e917dddeaee8826a17a76814e07512d22dda58927ad

SHA512
6046a02b103f3062d83bba3dbb6dd941dd6c6fdc8cd16989ef49def3b64bb18bbc339b2cfa39643005008dea7211b228f6c356230e568468b418c4a5e3af24e0

Download Submit
C:\Windows\uk-UA\RCX9B1A.tmp

Filesize
1.7MB

MD5
eb0fe97fb2e8f33f80b5dd80c3301b86

SHA1
3e6412267b9cc7a552b372e4f4256ed8a6f5756c

SHA256
e2f767bc910c6178e3ee9fc6432f2eb27cd4981ec530a0321a1df3d7ccbbe018

SHA512
4e63a43d3db686ad22256d55406544de132363305e12da1a9952dd6083bbe96b21782416a960de740b7bc6aa4f175d7c27c6badfd364d52568eacf70fdb820f7

Download Submit
memory/1248-166-0x0000029E78560000-0x0000029E78582000-memory.dmp

Filesize
136KB

Download
memory/2924-13-0x000000001BEF0000-0x000000001C418000-memory.dmp

Filesize
5.2MB

Download
memory/2924-15-0x000000001B960000-0x000000001B96A000-memory.dmp

Filesize
40KB

Download
memory/2924-10-0x000000001B2F0000-0x000000001B2F8000-memory.dmp

Filesize
32KB

Download
memory/2924-12-0x000000001B920000-0x000000001B932000-memory.dmp

Filesize
72KB

Download
memory/2924-153-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/2924-19-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/2924-159-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2924-22-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2924-18-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/2924-16-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/2924-14-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/2924-23-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2924-1-0x00000000004C0000-0x0000000000680000-memory.dmp

Filesize
1.8MB

Download
memory/2924-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/2924-17-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/2924-9-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

Filesize
48KB

Download
memory/2924-8-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2924-2-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2924-7-0x000000001B2C0000-0x000000001B2D6000-memory.dmp

Filesize
88KB

Download
memory/2924-4-0x000000001B970000-0x000000001B9C0000-memory.dmp

Filesize
320KB

Download
memory/2924-5-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/2924-6-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2924-3-0x00000000027A0000-0x00000000027BC000-memory.dmp

Filesize
112KB

Download
memory/3164-350-0x000000001C060000-0x000000001C162000-memory.dmp

Filesize
1.0MB

Download
memory/4072-282-0x000000001B2F0000-0x000000001B302000-memory.dmp

Filesize
72KB

Download
memory/4760-295-0x000000001B080000-0x000000001B092000-memory.dmp

Filesize
72KB

Download