dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dadf12489ed76150718a6ef93c7fe010.exe
Size

5.9MB
MD5

dadf12489ed76150718a6ef93c7fe010
SHA1

1895e40361a27955832e7bc518359440fb716236
SHA256

3769933e54a8e2c3df8af84017b52a270b5307cea7df0386d860214bb9fda3eb
SHA512

4edfdc0b1231d4c757ada0f66711fafb13f812e9c8cc0b10efd41f514732a3ab6607a5403ea2b1c711758a72964ef9cc9cd962e7a5ad0be0356b339677cc9c94
SSDEEP

98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4/:ByeU11Rvqmu8TWKnF6N/1wG

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	3608	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3608	schtasks.exe	87

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dadf12489ed76150718a6ef93c7fe010.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1428	powershell.exe
1640	powershell.exe
3008	powershell.exe
3548	powershell.exe
3280	powershell.exe
3636	powershell.exe
3476	powershell.exe
4900	powershell.exe
3024	powershell.exe
4052	powershell.exe
4352	powershell.exe
1496	powershell.exe
4184	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dadf12489ed76150718a6ef93c7fe010.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dadf12489ed76150718a6ef93c7fe010.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
5468	winlogon.exe
3736	winlogon.exe
780	winlogon.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dadf12489ed76150718a6ef93c7fe010.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
5468	winlogon.exe
5468	winlogon.exe
3736	winlogon.exe
3736	winlogon.exe
780	winlogon.exe
780	winlogon.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\csrss.exe	dadf12489ed76150718a6ef93c7fe010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dadf12489ed76150718a6ef93c7fe010.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1928	schtasks.exe
4200	schtasks.exe
2868	schtasks.exe
4396	schtasks.exe
1940	schtasks.exe
2532	schtasks.exe
780	schtasks.exe
8	schtasks.exe
1732	schtasks.exe
2264	schtasks.exe
952	schtasks.exe
748	schtasks.exe
888	schtasks.exe
548	schtasks.exe
2696	schtasks.exe
2824	schtasks.exe
1264	schtasks.exe
4560	schtasks.exe
224	schtasks.exe
4784	schtasks.exe
3892	schtasks.exe
3756	schtasks.exe
3052	schtasks.exe
3248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
1040	dadf12489ed76150718a6ef93c7fe010.exe
4184	powershell.exe
4184	powershell.exe
3024	powershell.exe
3024	powershell.exe
4900	powershell.exe
4900	powershell.exe
1428	powershell.exe
1428	powershell.exe
3548	powershell.exe
3548	powershell.exe
4052	powershell.exe
4052	powershell.exe
1640	powershell.exe
1640	powershell.exe
3008	powershell.exe
3008	powershell.exe
3280	powershell.exe
3280	powershell.exe
3636	powershell.exe
3636	powershell.exe
4352	powershell.exe
4352	powershell.exe
1496	powershell.exe
1496	powershell.exe
3476	powershell.exe
3476	powershell.exe
4352	powershell.exe
1496	powershell.exe
3476	powershell.exe
3636	powershell.exe
4184	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	dadf12489ed76150718a6ef93c7fe010.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	5468	winlogon.exe
Token: SeDebugPrivilege	3736	winlogon.exe
Token: SeDebugPrivilege	780	winlogon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3636	1040	dadf12489ed76150718a6ef93c7fe010.exe	116
PID 1040 wrote to memory of 3636	1040	dadf12489ed76150718a6ef93c7fe010.exe	116
PID 1040 wrote to memory of 4184	1040	dadf12489ed76150718a6ef93c7fe010.exe	117
PID 1040 wrote to memory of 4184	1040	dadf12489ed76150718a6ef93c7fe010.exe	117
PID 1040 wrote to memory of 3280	1040	dadf12489ed76150718a6ef93c7fe010.exe	118
PID 1040 wrote to memory of 3280	1040	dadf12489ed76150718a6ef93c7fe010.exe	118
PID 1040 wrote to memory of 1496	1040	dadf12489ed76150718a6ef93c7fe010.exe	119
PID 1040 wrote to memory of 1496	1040	dadf12489ed76150718a6ef93c7fe010.exe	119
PID 1040 wrote to memory of 4352	1040	dadf12489ed76150718a6ef93c7fe010.exe	120
PID 1040 wrote to memory of 4352	1040	dadf12489ed76150718a6ef93c7fe010.exe	120
PID 1040 wrote to memory of 4052	1040	dadf12489ed76150718a6ef93c7fe010.exe	121
PID 1040 wrote to memory of 4052	1040	dadf12489ed76150718a6ef93c7fe010.exe	121
PID 1040 wrote to memory of 3024	1040	dadf12489ed76150718a6ef93c7fe010.exe	122
PID 1040 wrote to memory of 3024	1040	dadf12489ed76150718a6ef93c7fe010.exe	122
PID 1040 wrote to memory of 3548	1040	dadf12489ed76150718a6ef93c7fe010.exe	123
PID 1040 wrote to memory of 3548	1040	dadf12489ed76150718a6ef93c7fe010.exe	123
PID 1040 wrote to memory of 4900	1040	dadf12489ed76150718a6ef93c7fe010.exe	124
PID 1040 wrote to memory of 4900	1040	dadf12489ed76150718a6ef93c7fe010.exe	124
PID 1040 wrote to memory of 3476	1040	dadf12489ed76150718a6ef93c7fe010.exe	125
PID 1040 wrote to memory of 3476	1040	dadf12489ed76150718a6ef93c7fe010.exe	125
PID 1040 wrote to memory of 3008	1040	dadf12489ed76150718a6ef93c7fe010.exe	126
PID 1040 wrote to memory of 3008	1040	dadf12489ed76150718a6ef93c7fe010.exe	126
PID 1040 wrote to memory of 1640	1040	dadf12489ed76150718a6ef93c7fe010.exe	128
PID 1040 wrote to memory of 1640	1040	dadf12489ed76150718a6ef93c7fe010.exe	128
PID 1040 wrote to memory of 1428	1040	dadf12489ed76150718a6ef93c7fe010.exe	130
PID 1040 wrote to memory of 1428	1040	dadf12489ed76150718a6ef93c7fe010.exe	130
PID 1040 wrote to memory of 3756	1040	dadf12489ed76150718a6ef93c7fe010.exe	142
PID 1040 wrote to memory of 3756	1040	dadf12489ed76150718a6ef93c7fe010.exe	142
PID 3756 wrote to memory of 2572	3756	cmd.exe	144
PID 3756 wrote to memory of 2572	3756	cmd.exe	144
PID 3756 wrote to memory of 5468	3756	cmd.exe	147
PID 3756 wrote to memory of 5468	3756	cmd.exe	147
PID 5468 wrote to memory of 5696	5468	winlogon.exe	148
PID 5468 wrote to memory of 5696	5468	winlogon.exe	148
PID 5468 wrote to memory of 5740	5468	winlogon.exe	149
PID 5468 wrote to memory of 5740	5468	winlogon.exe	149
PID 5696 wrote to memory of 3736	5696	WScript.exe	154
PID 5696 wrote to memory of 3736	5696	WScript.exe	154
PID 3736 wrote to memory of 4512	3736	winlogon.exe	155
PID 3736 wrote to memory of 4512	3736	winlogon.exe	155
PID 3736 wrote to memory of 5148	3736	winlogon.exe	156
PID 3736 wrote to memory of 5148	3736	winlogon.exe	156
PID 4512 wrote to memory of 780	4512	WScript.exe	158
PID 4512 wrote to memory of 780	4512	WScript.exe	158
PID 780 wrote to memory of 3512	780	winlogon.exe	159
PID 780 wrote to memory of 3512	780	winlogon.exe	159
PID 780 wrote to memory of 5340	780	winlogon.exe	160
PID 780 wrote to memory of 5340	780	winlogon.exe	160

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dadf12489ed76150718a6ef93c7fe010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe
"C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d9c22b4eaa3c0b9c12c7/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/dfe2e59cddd00040f555dab607351a1d/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MZSLAohkGL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2572
- - C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe
    "C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5468
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a98bcbf-ca5f-4757-b218-1654b7309fc3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5696
    - - C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3736
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977e3be6-e649-4180-8735-c3466afc496b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3dda4e5-f64f-44c8-bc44-523e0652c761.vbs"
        8⤵
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97bfdf17-a21a-4f05-97e7-bb4fc3519117.vbs"
        8⤵
        
        PID:5340
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b73cbf29-6dd2-43b3-b34f-b4a20fa3e681.vbs"
        6⤵
        
        PID:5148
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f705adb0-5e66-4ef0-ba07-bb892eda18be.vbs"
      4⤵
      PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
5.9MB

MD5
dadf12489ed76150718a6ef93c7fe010

SHA1
1895e40361a27955832e7bc518359440fb716236

SHA256
3769933e54a8e2c3df8af84017b52a270b5307cea7df0386d860214bb9fda3eb

SHA512
4edfdc0b1231d4c757ada0f66711fafb13f812e9c8cc0b10efd41f514732a3ab6607a5403ea2b1c711758a72964ef9cc9cd962e7a5ad0be0356b339677cc9c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
52154da84516c927c4571b3afe748773

SHA1
9060e24b271895bb2fbdeb9bada32d387cbf1a46

SHA256
9b12f0d1478f34794f3427ca46c163a4000976db9be93cab681881d355047653

SHA512
22329f756bca4290e06021e2aca9d74e5237282ae27fdef82ee26ceaaa7d07320703754a619c39bc542b3e97dde709b664e96b53726da3fe28065836f3b315e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94f35f261590c8add6967ae13ee05fab

SHA1
e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7

SHA256
db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63

SHA512
3e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c88f5f103e9375dc09ed9111f780e6ac

SHA1
f4bfc56f2c79364a5a32ca575329de6d7f648661

SHA256
a159d1dfb8d72e4f3db774b7a7c841cb3fefc1655bf5a705c87ae022b9189ea5

SHA512
31d29b73dd24f1b223b7cfbeca129834f9eac0999bed647784bb933e0dfbb0ad70c003dd70b7cea1049d33d9d189bf80c285be45d4ffd8cf9fa0732be542a4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a98bcbf-ca5f-4757-b218-1654b7309fc3.vbs

Filesize
724B

MD5
dc6720d025c6654cd45f5f60893d0c5c

SHA1
36a18546054929821dc72da8a86e1689b9faebfe

SHA256
cf6dfd0ff1a758f3f99ab843cee59b0c3e0c26e3e44176b4585144fda238fee9

SHA512
08193ca1940e0364720377b79d251062e184b3cd51ddc780d641dabab7106c4fe985f30255c52712f89c282f389083167605d461b0e680c0af256d5722589ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\977e3be6-e649-4180-8735-c3466afc496b.vbs

Filesize
724B

MD5
0be23bcd15669158b87fa9682163255c

SHA1
f0a795de410eb9bf01e8149fd8e0daa2d7cf8d7b

SHA256
6b4be5006bb689883cc757405c118fd39faa436fb98aabf36cf3ed10a9caca4f

SHA512
b4a3646aed9f9ecda75a454abc13c2da92e0272a0b66a184ceb52e1edc0b529dc7dcdfc6d55ae40340dc210ffe2e7b612b251af1ba376a991bdf3c5ca80d45fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZSLAohkGL.bat

Filesize
213B

MD5
43031b135e99bd47e09a3737307010fa

SHA1
e355bf59d20c53937d1c592539c2505b1e781c9f

SHA256
129adb95266d3fa0c5b299b57ff81af46c4b50382c53fac0199d33b777b558b5

SHA512
ddbca151d8c500c66ca643c332924ae0c04e1268e55eac6d503f3dce5b22e73529067d2b390f7db98e4b65d88cb0fc2ca70659c36a280f83b7fcf89f8647902e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xchz13ee.05g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3dda4e5-f64f-44c8-bc44-523e0652c761.vbs

Filesize
723B

MD5
84606ef08c5c32c442ea20fae99f7bf7

SHA1
21ec6a2a0e99fc0b70ec872f05d534de2b117233

SHA256
d537db4110d550a2d2e4e8d82e80a8bf5efbd158a4bf10dcf81f0ecdcba56173

SHA512
641f5c7e635d861533815b02f35d677a4dbf2e6dc4d26237464bcefbb5c4f6602acb68e96c29a8dc203f02bbd57e5f6def568cdf6ec97316276ffe526875889e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f705adb0-5e66-4ef0-ba07-bb892eda18be.vbs

Filesize
500B

MD5
cd9be5fece24d8679fd18ddcd2375bd3

SHA1
18772ac44d6d880ba416e583936263afdf43ee9e

SHA256
2ab7c4ca6bb4648cd151b67652f6dd6fcd449d4129571aa5da4cf7f019dcb68b

SHA512
e31430f5453901f06e5ff0cca94fe9d82d494bf867ab7f0d0150bf43ab80a8fb8f6eb6fe1dc110677fe646116d41e54fd5f37c9e54521b3f7b8b6e68dfd675e8

Download Submit
C:\Users\Default\OfficeClickToRun.exe

Filesize
5.9MB

MD5
fd8f3a637ac31382e658e6b7d6d6afe5

SHA1
dc1a878ecc7c4ef8c8986f8719162707281110d3

SHA256
e279540de68609c6151b407194b621ffba0bd54b6dc33fa2135ab0d2ebd9cba6

SHA512
7dda2175ece86b4de98d44a8c4fd9bcf5dd5705c10226e7b355d1cbfc96d2975e3e782bba5b08279b55eb4d69f567d87f6056d209105a1c7a0cec35329840a0f

Download Submit
C:\d9c22b4eaa3c0b9c12c7\csrss.exe

Filesize
5.9MB

MD5
07d12ee83543746b54b5a7e1867e081a

SHA1
eec97890cb58299fea074640238c2796b88a4873

SHA256
860910f3be335c66b757f6426c0579fb3dbd09286556964ad46a57489a95bbe2

SHA512
e7b0785ee57eac58b9c4742b6dad9f09fb3697c95d6afe57724bf4844af1e1f4420592e79fe335687243b85b307586665c1ec8f9d7cdbd867ee13845b148212d

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\winlogon.exe

Filesize
5.9MB

MD5
0b9a55f0da548ec96e471b2436535f5b

SHA1
3adddf79c29a95102fdf70ceda58c4ed503e4474

SHA256
17298b5026cffa57044a38982b84200ba222f91f226fa47929c671d4aa4d89b7

SHA512
e388623a7ff3ffcf81fcb247b732c6f7d5ecbdbfc98d662776c13963ac9cc90b2ee6c21bdcb4e38275788d468bcce9fb7ba2f0a7ba22d24838d95da07f93a4a0

Download Submit
memory/1040-24-0x000000001D420000-0x000000001D432000-memory.dmp

Filesize
72KB

Download
memory/1040-27-0x000000001D460000-0x000000001D46C000-memory.dmp

Filesize
48KB

Download
memory/1040-39-0x000000001D730000-0x000000001D738000-memory.dmp

Filesize
32KB

Download
memory/1040-41-0x000000001D750000-0x000000001D75C000-memory.dmp

Filesize
48KB

Download
memory/1040-30-0x000000001D4A0000-0x000000001D4AC000-memory.dmp

Filesize
48KB

Download
memory/1040-38-0x000000001D720000-0x000000001D72C000-memory.dmp

Filesize
48KB

Download
memory/1040-37-0x000000001D710000-0x000000001D718000-memory.dmp

Filesize
32KB

Download
memory/1040-35-0x000000001D6E0000-0x000000001D6E8000-memory.dmp

Filesize
32KB

Download
memory/1040-33-0x000000001D5C0000-0x000000001D5CA000-memory.dmp

Filesize
40KB

Download
memory/1040-36-0x000000001D700000-0x000000001D70E000-memory.dmp

Filesize
56KB

Download
memory/1040-34-0x000000001D5D0000-0x000000001D5DE000-memory.dmp

Filesize
56KB

Download
memory/1040-32-0x000000001D5B0000-0x000000001D5BC000-memory.dmp

Filesize
48KB

Download
memory/1040-31-0x000000001D6F0000-0x000000001D6F8000-memory.dmp

Filesize
32KB

Download
memory/1040-29-0x000000001D490000-0x000000001D49C000-memory.dmp

Filesize
48KB

Download
memory/1040-28-0x000000001D470000-0x000000001D478000-memory.dmp

Filesize
32KB

Download
memory/1040-26-0x000000001D450000-0x000000001D45C000-memory.dmp

Filesize
48KB

Download
memory/1040-25-0x000000001D9C0000-0x000000001DEE8000-memory.dmp

Filesize
5.2MB

Download
memory/1040-21-0x000000001D400000-0x000000001D40C000-memory.dmp

Filesize
48KB

Download
memory/1040-20-0x000000001D3F0000-0x000000001D3F8000-memory.dmp

Filesize
32KB

Download
memory/1040-9-0x000000001D1B0000-0x000000001D1B8000-memory.dmp

Filesize
32KB

Download
memory/1040-8-0x000000001D200000-0x000000001D250000-memory.dmp

Filesize
320KB

Download
memory/1040-7-0x000000001BA40000-0x000000001BA5C000-memory.dmp

Filesize
112KB

Download
memory/1040-6-0x00000000015A0000-0x00000000015A8000-memory.dmp

Filesize
32KB

Download
memory/1040-40-0x000000001D740000-0x000000001D74A000-memory.dmp

Filesize
40KB

Download
memory/1040-22-0x000000001D410000-0x000000001D418000-memory.dmp

Filesize
32KB

Download
memory/1040-1-0x00000000004A0000-0x0000000000D98000-memory.dmp

Filesize
9.0MB

Download
memory/1040-0-0x00007FFF638A3000-0x00007FFF638A5000-memory.dmp

Filesize
8KB

Download
memory/1040-207-0x00007FFF638A0000-0x00007FFF64361000-memory.dmp

Filesize
10.8MB

Download
memory/1040-11-0x000000001D1D0000-0x000000001D1E6000-memory.dmp

Filesize
88KB

Download
memory/1040-12-0x000000001D1F0000-0x000000001D1F8000-memory.dmp

Filesize
32KB

Download
memory/1040-19-0x000000001D3E0000-0x000000001D3EC000-memory.dmp

Filesize
48KB

Download
memory/1040-18-0x000000001D390000-0x000000001D3E6000-memory.dmp

Filesize
344KB

Download
memory/1040-17-0x000000001D380000-0x000000001D38A000-memory.dmp

Filesize
40KB

Download
memory/1040-13-0x000000001D250000-0x000000001D262000-memory.dmp

Filesize
72KB

Download
memory/1040-15-0x000000001D370000-0x000000001D378000-memory.dmp

Filesize
32KB

Download
memory/1040-16-0x000000001D480000-0x000000001D490000-memory.dmp

Filesize
64KB

Download
memory/1040-14-0x000000001D360000-0x000000001D36C000-memory.dmp

Filesize
48KB

Download
memory/1040-10-0x000000001D1C0000-0x000000001D1D0000-memory.dmp

Filesize
64KB

Download
memory/1040-2-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/1040-3-0x00007FFF638A0000-0x00007FFF64361000-memory.dmp

Filesize
10.8MB

Download
memory/1040-5-0x0000000001590000-0x000000000159E000-memory.dmp

Filesize
56KB

Download
memory/1040-4-0x0000000001580000-0x000000000158E000-memory.dmp

Filesize
56KB

Download
memory/3736-327-0x000000001C470000-0x000000001C482000-memory.dmp

Filesize
72KB

Download
memory/4184-166-0x00000214F6A90000-0x00000214F6AB2000-memory.dmp

Filesize
136KB

Download
memory/5468-313-0x000000001B5D0000-0x000000001B5E2000-memory.dmp

Filesize
72KB

Download
memory/5468-311-0x0000000000030000-0x0000000000928000-memory.dmp

Filesize
9.0MB

Download