dcrat | 7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Size

1.7MB
MD5

6d5faed87aba710c68377628f3cd1ad0
SHA1

95e477a9a047e2bf841e7ff88d484fbdc33c9182
SHA256

7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8
SHA512

c4c5877da078e10e38391ab0d233815b41306ba9f7660a5a7bb3d5a5b9d82733a33411b29408a177798c35047ad8aa784c02bb32aa641d1d5fb633800b8a03de
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2220	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2220	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4016-1-0x0000000000DE0000-0x0000000000FA0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb1-32.dat	dcrat
behavioral2/files/0x0009000000023cb0-53.dat	dcrat
behavioral2/files/0x0009000000023cb1-64.dat	dcrat
behavioral2/memory/3436-202-0x0000000000E90000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
1428	powershell.exe
2308	powershell.exe
228	powershell.exe
3132	powershell.exe
3472	powershell.exe
1772	powershell.exe
784	powershell.exe
3096	powershell.exe
2376	powershell.exe
1816	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Executes dropped EXE 7 IoCs

pid	Process
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4656	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\a937681b347638	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB51E.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB21E.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB28C.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB4A0.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Uninstall Information\spoolsv.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4384	schtasks.exe
4764	schtasks.exe
4584	schtasks.exe
4000	schtasks.exe
1852	schtasks.exe
3080	schtasks.exe
1536	schtasks.exe
4496	schtasks.exe
3532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
1732	powershell.exe
1732	powershell.exe
3472	powershell.exe
3472	powershell.exe
3132	powershell.exe
3132	powershell.exe
2376	powershell.exe
2376	powershell.exe
2308	powershell.exe
2308	powershell.exe
228	powershell.exe
228	powershell.exe
3096	powershell.exe
3096	powershell.exe
1428	powershell.exe
1428	powershell.exe
784	powershell.exe
784	powershell.exe
1816	powershell.exe
1816	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
784	powershell.exe
3132	powershell.exe
1732	powershell.exe
2376	powershell.exe
2308	powershell.exe
1428	powershell.exe
228	powershell.exe
3472	powershell.exe
3096	powershell.exe
1816	powershell.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	4656	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 228	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	92
PID 4016 wrote to memory of 228	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	92
PID 4016 wrote to memory of 1732	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	93
PID 4016 wrote to memory of 1732	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	93
PID 4016 wrote to memory of 3132	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	94
PID 4016 wrote to memory of 3132	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	94
PID 4016 wrote to memory of 3472	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	95
PID 4016 wrote to memory of 3472	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	95
PID 4016 wrote to memory of 1816	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	96
PID 4016 wrote to memory of 1816	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	96
PID 4016 wrote to memory of 2308	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	97
PID 4016 wrote to memory of 2308	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	97
PID 4016 wrote to memory of 2376	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	98
PID 4016 wrote to memory of 2376	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	98
PID 4016 wrote to memory of 3096	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	99
PID 4016 wrote to memory of 3096	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	99
PID 4016 wrote to memory of 1428	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	100
PID 4016 wrote to memory of 1428	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	100
PID 4016 wrote to memory of 784	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	101
PID 4016 wrote to memory of 784	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	101
PID 4016 wrote to memory of 1772	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	102
PID 4016 wrote to memory of 1772	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	102
PID 4016 wrote to memory of 4640	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	114
PID 4016 wrote to memory of 4640	4016	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	114
PID 4640 wrote to memory of 3676	4640	cmd.exe	116
PID 4640 wrote to memory of 3676	4640	cmd.exe	116
PID 4640 wrote to memory of 3436	4640	cmd.exe	120
PID 4640 wrote to memory of 3436	4640	cmd.exe	120
PID 3436 wrote to memory of 4656	3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	121
PID 3436 wrote to memory of 4656	3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	121
PID 3436 wrote to memory of 1668	3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	122
PID 3436 wrote to memory of 1668	3436	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	122
PID 4656 wrote to memory of 5064	4656	WScript.exe	126
PID 4656 wrote to memory of 5064	4656	WScript.exe	126
PID 5064 wrote to memory of 1284	5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	127
PID 5064 wrote to memory of 1284	5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	127
PID 5064 wrote to memory of 3664	5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	128
PID 5064 wrote to memory of 3664	5064	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	128
PID 1284 wrote to memory of 4372	1284	WScript.exe	131
PID 1284 wrote to memory of 4372	1284	WScript.exe	131
PID 4372 wrote to memory of 1612	4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	132
PID 4372 wrote to memory of 1612	4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	132
PID 4372 wrote to memory of 2632	4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	133
PID 4372 wrote to memory of 2632	4372	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	133
PID 1612 wrote to memory of 3516	1612	WScript.exe	134
PID 1612 wrote to memory of 3516	1612	WScript.exe	134
PID 3516 wrote to memory of 620	3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	135
PID 3516 wrote to memory of 620	3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	135
PID 3516 wrote to memory of 2860	3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	136
PID 3516 wrote to memory of 2860	3516	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	136
PID 620 wrote to memory of 2944	620	WScript.exe	137
PID 620 wrote to memory of 2944	620	WScript.exe	137
PID 2944 wrote to memory of 2800	2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	138
PID 2944 wrote to memory of 2800	2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	138
PID 2944 wrote to memory of 4984	2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	139
PID 2944 wrote to memory of 4984	2944	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	139
PID 2800 wrote to memory of 888	2800	WScript.exe	140
PID 2800 wrote to memory of 888	2800	WScript.exe	140
PID 888 wrote to memory of 3872	888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	141
PID 888 wrote to memory of 3872	888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	141
PID 888 wrote to memory of 232	888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	142
PID 888 wrote to memory of 232	888	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	142
PID 3872 wrote to memory of 4656	3872	WScript.exe	143
PID 3872 wrote to memory of 4656	3872	WScript.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
"C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N2f6qnRTJD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3676
- - C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c699479e-342d-4cbe-9ba1-4a723259bb13.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e9e11d8-3443-49fa-bf4d-f0e211b138b0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbcc998a-2453-4ff9-b5b7-274aef58189e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604bd61f-9279-45a8-848d-f1b519977e01.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a2d9e2-18fb-4a78-a41b-7847c4df7177.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d0036b0-1a64-4f0a-99ce-213c1344642d.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68cec5ef-5ecb-404b-a092-2bba5a2d67ae.vbs"
        16⤵
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5c8eac-fa50-4810-87e9-d1c7e96f8f97.vbs"
        16⤵
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c940abd-c5bb-436c-bcbc-e5883549c3a6.vbs"
        14⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2d8396-ce2b-4d5b-b38e-a71147e35803.vbs"
        12⤵
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa9d725-9c59-421a-a64b-0440b07bf9fa.vbs"
        10⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d915bfc7-75a4-468f-8eb7-4b7d2141352a.vbs"
        8⤵
        
        PID:2632
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\727cb6a0-121c-4597-a935-d42eefcc36ff.vbs"
        6⤵
        
        PID:3664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\926c5f4a-767f-4540-954e-fbd0f1a4522d.vbs"
      4⤵
      PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Filesize
1.7MB

MD5
ce4b47424818de6cabccde057d903563

SHA1
76711a424ccfe489b9083cec703c19218be400e9

SHA256
fea539189750489ad8cbe38c380442314d978049bf190049d983ee5568508e90

SHA512
45fee99964d00193c591f74c940d6934b8166373a12bbc250a6d70c52ed943020812ae0f7dcaa36511fed916eb4731e80c09c175f406aae5d8a44e780608c04d

Download Submit
C:\Program Files\Uninstall Information\spoolsv.exe

Filesize
1.7MB

MD5
e3bbb4e7460ceda7341ef67a82d86f7d

SHA1
ab04326267d58c70e9c1a61cbbaae8c345140642

SHA256
24f88920ed1fca03fb292c2e14044b2f094ad25a454e7fa1391f91da03738933

SHA512
02f9159cef46df73eb05f93bfdfe0b37da8272460a80efa7532143e4dd39e200453c5183ec84c69049d51cc4b4da9045c931547536cb86cd84eb265102868b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d0036b0-1a64-4f0a-99ce-213c1344642d.vbs

Filesize
795B

MD5
02b27cd1be9a889e4d36367f89adc1e4

SHA1
d71f6938a335323189a1daea9483d1ed74c25f89

SHA256
d0224509df332ab96203d3a55038d0af655fee1004d33a48f617c7031bf59075

SHA512
1d2ccd0254a9ed358c2b1292179050379fe4fa74906f8d3f24b6a9c11490f97bee426b56c59e92dfc69816d04cf8cfd7cea41a514e9b85bb5122d7a2e80ee5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e9e11d8-3443-49fa-bf4d-f0e211b138b0.vbs

Filesize
796B

MD5
09efc86169e273eef8275537988fa4c3

SHA1
54bd8deb8030b88a1cbebda1db82c06409f62fb9

SHA256
e5f13d2b539e1a9dd9da8c27ba2a83520c05d6e843719738d99da3cb62843acd

SHA512
58301aaaa8a3d3444bbf43582562f8ec55549290b7e7e43586b58e5f5ff5ec4142606c4fbff1317d64912ccb171b186a9353d4e4e5fe0f803478ec0f44a82c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\604bd61f-9279-45a8-848d-f1b519977e01.vbs

Filesize
796B

MD5
dfc8689bf79037f29dcef2de5bc52407

SHA1
40fd1448c0ee1676e93ee4eb210093e33bf06789

SHA256
27590ec1dc9a14084e8d23ade42cf86cf70d65e18bfc1fed4884b17eced0b3df

SHA512
12fdcf8f5537e9fa5535f1678f8eaed7af103e288f42b9d2e945368626f342859efc4b75c65d5d14716e7da7b60abe967386bf8b5fede58676f489ff1547335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\68cec5ef-5ecb-404b-a092-2bba5a2d67ae.vbs

Filesize
796B

MD5
250c43c513aa662857c89f85ffe0e37b

SHA1
3fb9ed53e012f51cd883527537d520d589ce34ce

SHA256
88e45501b4e838db1ba9b410673a8e76a6510f7f735664363066130fc9a519f9

SHA512
85afc077d47d7dcb5180736e96b7c001e35f5db9c3596aea729b7d118daa9f4f98a3637de23db7d6a0c788bb5219dbd9c6cc9811e9a795717ca23c443156cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\727cb6a0-121c-4597-a935-d42eefcc36ff.vbs

Filesize
572B

MD5
2f8015f18138813908896109c6aab710

SHA1
aca9e089e0217882e0a0cca32742a099f635043f

SHA256
cded9f7f7a274f8c3b94e5fe11c837a0c6c093f3bdf22ea78be2649bff4ab5cb

SHA512
93f0a6941b8f2f938302bd3a3e594ae79d8dc0ff8262ab532b527cb51201fbbbcf9f34e3c3bf840eda6207e8670ae691c1092aa80fe1a66016aa4e5b8e3a1800

Download Submit
C:\Users\Admin\AppData\Local\Temp\N2f6qnRTJD.bat

Filesize
285B

MD5
1934799ef43e92755f2a9c59c1d1b626

SHA1
9092a955fa1daa28b08c0480924ca6b21eca37d9

SHA256
875a16ecbb421642423bbf6e70b8aa4f098e2e5fedaa5c1b1465f6e92e6e5fc2

SHA512
96c620e13b64d95dbf6e67e99389782111a61c754bfdcfd0f2010ca200f9a839213901dfc366d5b3095c866e0238767bbf032827e8e99b2fc2ce3cfaf9587923

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXADB6.tmp

Filesize
1.7MB

MD5
6d5faed87aba710c68377628f3cd1ad0

SHA1
95e477a9a047e2bf841e7ff88d484fbdc33c9182

SHA256
7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8

SHA512
c4c5877da078e10e38391ab0d233815b41306ba9f7660a5a7bb3d5a5b9d82733a33411b29408a177798c35047ad8aa784c02bb32aa641d1d5fb633800b8a03de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3lheeqm.vig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c699479e-342d-4cbe-9ba1-4a723259bb13.vbs

Filesize
796B

MD5
f87f4102fd4e9343933e12aa099bb743

SHA1
c9390ef79302a1fa4f073a89958ccd09482b96c4

SHA256
517ff78e2ad57c48fe81f2bdd06d8d8bf8eceb3576bcc05841adb66fbd8a51d0

SHA512
bb521ad7a339b1052a11a3f1b9c89854acffbf8aa651205e38738e4ef26dfa36910d702b2baddb642d8494aefa65787cd6790cad42b28e72c00e2ac68aed8039

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbcc998a-2453-4ff9-b5b7-274aef58189e.vbs

Filesize
796B

MD5
5742d1908e5762146f86eb7f3f90eace

SHA1
d9d2a45a33ecd5e5f497d88c6661897e848cdb51

SHA256
9cce0a622c97590ea674a6be3a5ec22b427c9aa0eb8eadd2d857928f66e38880

SHA512
52762e54b987d39c450c235969a22a2bd37ec01851140f8a406f73f08cc53a61c9f7a62bf973b69478c37fe09efcfff188aa9a5a8dc311b226ec40ec08f042b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6a2d9e2-18fb-4a78-a41b-7847c4df7177.vbs

Filesize
796B

MD5
c4d4b64b6e9f6bc7c3232586005f1f7e

SHA1
535c0be27d44c8f0025bf98eae4fbe8ff3b4860b

SHA256
397c34580f1e00e1ee8846a6a42e74d29501b7dfc7dce2f069bec234be649542

SHA512
0e0aafe1ec3efaf802ad805b227f991ac939c03ff3fda29f08af8eee02f68491923db4a5b11c7b443c9565510a1078a5a30747056bfdd5062c4f596fb68bcf18

Download Submit
memory/1732-91-0x00000249E8220000-0x00000249E8242000-memory.dmp

Filesize
136KB

Download
memory/3436-203-0x000000001BAE0000-0x000000001BAF2000-memory.dmp

Filesize
72KB

Download
memory/3436-202-0x0000000000E90000-0x0000000001050000-memory.dmp

Filesize
1.8MB

Download
memory/4016-1-0x0000000000DE0000-0x0000000000FA0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-12-0x000000001C240000-0x000000001C252000-memory.dmp

Filesize
72KB

Download
memory/4016-23-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4016-22-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4016-19-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download
memory/4016-5-0x0000000003080000-0x0000000003088000-memory.dmp

Filesize
32KB

Download
memory/4016-6-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/4016-4-0x000000001C270000-0x000000001C2C0000-memory.dmp

Filesize
320KB

Download
memory/4016-3-0x0000000003060000-0x000000000307C000-memory.dmp

Filesize
112KB

Download
memory/4016-2-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4016-10-0x000000001C230000-0x000000001C238000-memory.dmp

Filesize
32KB

Download
memory/4016-73-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4016-16-0x000000001C560000-0x000000001C56E000-memory.dmp

Filesize
56KB

Download
memory/4016-9-0x000000001C220000-0x000000001C22C000-memory.dmp

Filesize
48KB

Download
memory/4016-8-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/4016-0-0x00007FF816963000-0x00007FF816965000-memory.dmp

Filesize
8KB

Download
memory/4016-17-0x000000001C3D0000-0x000000001C3D8000-memory.dmp

Filesize
32KB

Download
memory/4016-18-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

Filesize
48KB

Download
memory/4016-15-0x000000001C540000-0x000000001C54A000-memory.dmp

Filesize
40KB

Download
memory/4016-14-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

Filesize
48KB

Download
memory/4016-13-0x000000001C7F0000-0x000000001CD18000-memory.dmp

Filesize
5.2MB

Download
memory/4016-7-0x000000001BBE0000-0x000000001BBF6000-memory.dmp

Filesize
88KB

Download
memory/4656-269-0x000000001B1B0000-0x000000001B1C2000-memory.dmp

Filesize
72KB

Download
memory/5064-213-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

Filesize
72KB

Download