Overview

overview

10

Static

static

10

findme.exe

windows7-x64

10

findme.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    findme.exe

  • Size

    3.2MB

  • MD5

    4fabffd3dfad2d1e11ae2317b40b6e4a

  • SHA1

    df2ce294dc75060632bfb45add20e69ccc9396c1

  • SHA256

    079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a

  • SHA512

    bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed

  • SSDEEP

    49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat 40 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\findme.exe
    "C:\Users\Admin\AppData\Local\Temp\findme.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\runtimebrokerHost\webnetdhcp.exe
          "C:\runtimebrokerHost\webnetdhcp.exe"
          4⤵
          • DcRat
          • Drops file in Drivers directory
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4152
          • C:\runtimebrokerHost\webnetdhcp.exe
            "C:\runtimebrokerHost\webnetdhcp.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2228
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\SearchApp.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\OfficeClickToRun.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3240
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4268
            • C:\Program Files (x86)\Windows Mail\fontdrvhost.exe
              "C:\Program Files (x86)\Windows Mail\fontdrvhost.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1904
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec6b555-d2a8-4b83-899b-27cc847c168c.vbs"
                7⤵
                  PID:2856
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cfb57ae-7e09-42bc-822f-1b1efa4bbb30.vbs"
                  7⤵
                    PID:984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4120
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\runtimebrokerHost\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\runtimebrokerHost\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\runtimebrokerHost\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\runtimebrokerHost\SearchApp.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\runtimebrokerHost\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\runtimebrokerHost\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3100
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webnetdhcp.exe.log
          Filesize

          2KB

          MD5

          99da3873d642965d684e1b42282bb2ce

          SHA1

          16e39caa2074da0469ea30fc9426befa9b31a2e0

          SHA256

          cefa34f559ecb2e8524e92c845b09a3dd2fd653aa1d5a57731c2cf66a0b38793

          SHA512

          f62d48621955191f731a603ea3e44a0629662f86d2958fe813da4c705e7f1dfa117d7880604e43116e3e5110e94340f9f108b56a59ba22ada76798e3eb34c11f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          bd5940f08d0be56e65e5f2aaf47c538e

          SHA1

          d7e31b87866e5e383ab5499da64aba50f03e8443

          SHA256

          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

          SHA512

          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          3a6bad9528f8e23fb5c77fbd81fa28e8

          SHA1

          f127317c3bc6407f536c0f0600dcbcf1aabfba36

          SHA256

          986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

          SHA512

          846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e59140d6693b6a0f6a8617b45bdef9fe

          SHA1

          7157a22b2533d10fe8ed91d2c5782b44c79bbcde

          SHA256

          baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

          SHA512

          117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a6b52a780f8659d0f00389ad919afcb0

          SHA1

          962f2e166258cba4e4d486253258d530ce1eb285

          SHA256

          2e8489efcf7d02e51dfed0dd02722de2f67e0b987f3598a017d325f3b2ce6c6a

          SHA512

          2754f14e08aabef5f1784223c68c70a1532129f653a5e76bc469e5f800ffdd5d60a2f578646020b144632e0bc9bc8ccfff4382d01d04c68031c3aace07510e8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          c4fee36040f3f2bd5ab8cf4ceb483d10

          SHA1

          7766b611607f908c4161c7a4dd8f9f1f31e7aa3b

          SHA256

          b9bb27c86647601607b2568ccc541c36ffa769424eb6971898f231b1d7a9bf82

          SHA512

          51a102819956a0bfc076a1f9287ddad1cd39fa365a8ef4ecc24ae426c5cda6969db1dd8b2362dd836976d6fc916e6283185591beac49b4b1b7f5788eae695237

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          240B

          MD5

          5049e0f5c1f86593abd34529a6acff48

          SHA1

          78ce4639d09d523b7800c5227e6b5e032588cdcf

          SHA256

          74b4ccf46a32ae38ac21b651d331f7bed58a8873acfd65f62b8e36b2ecdca8d1

          SHA512

          bde4d604564587ca75e8cb1ff2938d37ef8f085c88e8d599d1ea344cc239007232b28344b34a7c19a256d31e3e4b38a8a46440e4c243da48f52d309eadc1e2a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0cfb57ae-7e09-42bc-822f-1b1efa4bbb30.vbs
          Filesize

          503B

          MD5

          10ec4667e05d4693616c87e108bc70f2

          SHA1

          41848f46597bae1009bca6b4b5ec0ca971217762

          SHA256

          a07150266f8802d41e783cc0d85f7b8407b4f3add1a963bdbd1247f0d53003b4

          SHA512

          005ba4b62b7468992b71a69f6efaec54dab9c638660a5e00cb28fb0f96a1f9019dc3cd7359d31426cdaf7e3d82aff793b14eba44364fd1af86665e0b349d2ba7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3ec6b555-d2a8-4b83-899b-27cc847c168c.vbs
          Filesize

          727B

          MD5

          46b93042571a610ba2abb3949ec099f6

          SHA1

          e28ad159a3b3afae092f9226e84b6c42bae8f064

          SHA256

          06170bbf1c71d67e190b6c91bbc52ced7a016d8c947ca8ff5af9599b404d5de9

          SHA512

          4fe23baf39ad67f01566b98ef95cfbb7e8a1e9df886a1a0f3156d587a60c871d6de3f24bdb4e3325b8521e8aaa2c38bc50d856e85afd3c20b2be3300667718f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uk030mys.i30.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat
          Filesize

          37B

          MD5

          2f75cb9c29ad8dc8dab47b39673a8f09

          SHA1

          89b9602bcf66bea31f020c426878acc7aa922b44

          SHA256

          a42bdf46c460b2e7baa4ec022dba0474a9a9a9eef343ae824a533e1ff700417e

          SHA512

          54e8c98fafbeeb42af261747afcf763e17113ef5ee4e23501f6088da93fd004c9db28c1d41c7c9a3fe05211abf9cd40ada3db993cbdd545cb88c32c77eb07812

          Download Submit

        • C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe
          Filesize

          223B

          MD5

          e63c96d58301c1f1e3dae1378b1b0eca

          SHA1

          186598fa4a820157a4c284450f13c567bb3cb90e

          SHA256

          ee8722b767b0c57b52c64cdb9f7b4eca2b3593fbcde9c6106391a6b065195b2a

          SHA512

          390d7a2404c0379ff64c26bc6e046e09d6ab420aade79d7a1e8e2aada032c81621f4aaa5faaa1d3c4049799e3fca91f08198e306d2b2e0a2a0947a50e7d345c8

          Download Submit

        • C:\runtimebrokerHost\webnetdhcp.exe
          Filesize

          2.9MB

          MD5

          eec01d18c981a5973da10c8cbac73764

          SHA1

          a366e8aff64b3b84c129a54615700b9a6a3238c1

          SHA256

          4c8610c40e37fb70da6b33ad42c7f5d8a0cc34a16c34a3837af521efbf79fa2f

          SHA512

          6425dd22c982be9bc1b10a5b885ca1e610b6ee30f2c3a5181f5d6bcdb5a84bdf6b4a5a851c9552f9b7b1f29d5141ecd2ffb0d00d41f3b70c64f7f332a877f165

          Download Submit

        • memory/1692-135-0x000000001CD40000-0x000000001CD96000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1692-134-0x000000001BDD0000-0x000000001BDE2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1904-245-0x000000001DC80000-0x000000001DE42000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3128-21-0x0000000003290000-0x00000000032A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3128-26-0x000000001BD80000-0x000000001BD8C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3128-30-0x000000001D150000-0x000000001D678000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3128-31-0x00000000017C0000-0x00000000017CC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3128-33-0x00000000017E0000-0x00000000017EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3128-34-0x00000000017F0000-0x00000000017FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3128-35-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3128-37-0x000000001BDD0000-0x000000001BDDC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3128-36-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-32-0x00000000017D0000-0x00000000017D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-39-0x000000001BDF0000-0x000000001BDFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3128-38-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-40-0x000000001BE00000-0x000000001BE0C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3128-27-0x000000001BD90000-0x000000001BD98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-12-0x00007FF91E233000-0x00007FF91E235000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3128-29-0x000000001BDA0000-0x000000001BDB2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3128-25-0x00000000034A0000-0x00000000034A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-24-0x0000000003490000-0x000000000349C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3128-23-0x000000001CBD0000-0x000000001CC26000-memory.dmp

          Filesize

          344KB

          Download

        • memory/3128-22-0x00000000032A0000-0x00000000032A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-20-0x0000000003270000-0x0000000003286000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3128-19-0x0000000003260000-0x0000000003268000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-18-0x00000000033D0000-0x0000000003420000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3128-17-0x0000000003240000-0x000000000325C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3128-16-0x0000000003230000-0x0000000003238000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3128-15-0x00000000031C0000-0x00000000031CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3128-14-0x0000000001800000-0x000000000180E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3128-13-0x0000000000CA0000-0x0000000000F98000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/4152-64-0x000001BD71DE0000-0x000001BD71E02000-memory.dmp

          Filesize

          136KB

          Download