dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf9083762908e0056a1584ad1df9457.exe
Size

5.9MB
MD5

cbf9083762908e0056a1584ad1df9457
SHA1

0baab27622e89f104420a8f28b43eed94b3b922d
SHA256

ecaf5a16ff5d2163193af68382c1539e94013e2965c331dcfe4c1111d2f7f4ab
SHA512

07dae15db1ea7d296d66187ef022a64f46057f57982e3124cad47e54f408caf40a3a87a41981a6916eac50705e68c1b65a2b18b202e0c171a7ef0204403aabca
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:RyeU11Rvqmu8TWKnF6N/1wO

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4268	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	4268	schtasks.exe	88

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
5052	powershell.exe
948	powershell.exe
1480	powershell.exe
4984	powershell.exe
2304	powershell.exe
4160	powershell.exe
1700	powershell.exe
3564	powershell.exe
2000	powershell.exe
1596	powershell.exe
2992	powershell.exe
1708	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cbf9083762908e0056a1584ad1df9457.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cbf9083762908e0056a1584ad1df9457.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 3 IoCs

pid	Process
5384	dllhost.exe
448	dllhost.exe
3624	dllhost.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbf9083762908e0056a1584ad1df9457.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
5384	dllhost.exe
5384	dllhost.exe
448	dllhost.exe
448	dllhost.exe
3624	dllhost.exe
3624	dllhost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC6BD.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\RCXC901.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\RCXC912.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\unsecapp.exe	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCXCB35.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD765.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD9E7.tmp	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\unsecapp.exe	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCXCB46.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD7E3.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\29c1c3cc0f7685	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC6DD.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXDA08.tmp	cbf9083762908e0056a1584ad1df9457.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	cbf9083762908e0056a1584ad1df9457.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\9e8d7a4ca61bd9	cbf9083762908e0056a1584ad1df9457.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	cbf9083762908e0056a1584ad1df9457.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe
764	schtasks.exe
4468	schtasks.exe
4256	schtasks.exe
2172	schtasks.exe
1448	schtasks.exe
1144	schtasks.exe
1596	schtasks.exe
4724	schtasks.exe
696	schtasks.exe
4524	schtasks.exe
5020	schtasks.exe
4820	schtasks.exe
4992	schtasks.exe
5108	schtasks.exe
4048	schtasks.exe
1676	schtasks.exe
1504	schtasks.exe
2040	schtasks.exe
860	schtasks.exe
3292	schtasks.exe
2992	schtasks.exe
4984	schtasks.exe
4248	schtasks.exe
2784	schtasks.exe
3892	schtasks.exe
2260	schtasks.exe
2932	schtasks.exe
2744	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
4060	cbf9083762908e0056a1584ad1df9457.exe
1708	powershell.exe
1708	powershell.exe
5052	powershell.exe
5052	powershell.exe
2000	powershell.exe
2000	powershell.exe
1700	powershell.exe
1700	powershell.exe
4160	powershell.exe
4160	powershell.exe
948	powershell.exe
948	powershell.exe
2992	powershell.exe
2992	powershell.exe
3564	powershell.exe
3564	powershell.exe
4984	powershell.exe
4984	powershell.exe
2836	powershell.exe
2836	powershell.exe
1596	powershell.exe
1596	powershell.exe
2304	powershell.exe
2304	powershell.exe
1480	powershell.exe
1480	powershell.exe
5052	powershell.exe
1700	powershell.exe
3564	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	cbf9083762908e0056a1584ad1df9457.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	5384	dllhost.exe
Token: SeDebugPrivilege	448	dllhost.exe
Token: SeDebugPrivilege	3624	dllhost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 948	4060	cbf9083762908e0056a1584ad1df9457.exe	123
PID 4060 wrote to memory of 948	4060	cbf9083762908e0056a1584ad1df9457.exe	123
PID 4060 wrote to memory of 2000	4060	cbf9083762908e0056a1584ad1df9457.exe	124
PID 4060 wrote to memory of 2000	4060	cbf9083762908e0056a1584ad1df9457.exe	124
PID 4060 wrote to memory of 5052	4060	cbf9083762908e0056a1584ad1df9457.exe	125
PID 4060 wrote to memory of 5052	4060	cbf9083762908e0056a1584ad1df9457.exe	125
PID 4060 wrote to memory of 3564	4060	cbf9083762908e0056a1584ad1df9457.exe	126
PID 4060 wrote to memory of 3564	4060	cbf9083762908e0056a1584ad1df9457.exe	126
PID 4060 wrote to memory of 1700	4060	cbf9083762908e0056a1584ad1df9457.exe	128
PID 4060 wrote to memory of 1700	4060	cbf9083762908e0056a1584ad1df9457.exe	128
PID 4060 wrote to memory of 2836	4060	cbf9083762908e0056a1584ad1df9457.exe	130
PID 4060 wrote to memory of 2836	4060	cbf9083762908e0056a1584ad1df9457.exe	130
PID 4060 wrote to memory of 1708	4060	cbf9083762908e0056a1584ad1df9457.exe	131
PID 4060 wrote to memory of 1708	4060	cbf9083762908e0056a1584ad1df9457.exe	131
PID 4060 wrote to memory of 4160	4060	cbf9083762908e0056a1584ad1df9457.exe	133
PID 4060 wrote to memory of 4160	4060	cbf9083762908e0056a1584ad1df9457.exe	133
PID 4060 wrote to memory of 2992	4060	cbf9083762908e0056a1584ad1df9457.exe	135
PID 4060 wrote to memory of 2992	4060	cbf9083762908e0056a1584ad1df9457.exe	135
PID 4060 wrote to memory of 2304	4060	cbf9083762908e0056a1584ad1df9457.exe	137
PID 4060 wrote to memory of 2304	4060	cbf9083762908e0056a1584ad1df9457.exe	137
PID 4060 wrote to memory of 1596	4060	cbf9083762908e0056a1584ad1df9457.exe	141
PID 4060 wrote to memory of 1596	4060	cbf9083762908e0056a1584ad1df9457.exe	141
PID 4060 wrote to memory of 4984	4060	cbf9083762908e0056a1584ad1df9457.exe	142
PID 4060 wrote to memory of 4984	4060	cbf9083762908e0056a1584ad1df9457.exe	142
PID 4060 wrote to memory of 1480	4060	cbf9083762908e0056a1584ad1df9457.exe	144
PID 4060 wrote to memory of 1480	4060	cbf9083762908e0056a1584ad1df9457.exe	144
PID 4060 wrote to memory of 2004	4060	cbf9083762908e0056a1584ad1df9457.exe	149
PID 4060 wrote to memory of 2004	4060	cbf9083762908e0056a1584ad1df9457.exe	149
PID 2004 wrote to memory of 4764	2004	cmd.exe	151
PID 2004 wrote to memory of 4764	2004	cmd.exe	151
PID 2004 wrote to memory of 5384	2004	cmd.exe	154
PID 2004 wrote to memory of 5384	2004	cmd.exe	154
PID 5384 wrote to memory of 5624	5384	dllhost.exe	155
PID 5384 wrote to memory of 5624	5384	dllhost.exe	155
PID 5384 wrote to memory of 5672	5384	dllhost.exe	156
PID 5384 wrote to memory of 5672	5384	dllhost.exe	156
PID 5624 wrote to memory of 448	5624	WScript.exe	165
PID 5624 wrote to memory of 448	5624	WScript.exe	165
PID 448 wrote to memory of 5016	448	dllhost.exe	166
PID 448 wrote to memory of 5016	448	dllhost.exe	166
PID 448 wrote to memory of 2272	448	dllhost.exe	167
PID 448 wrote to memory of 2272	448	dllhost.exe	167
PID 5016 wrote to memory of 3624	5016	WScript.exe	169
PID 5016 wrote to memory of 3624	5016	WScript.exe	169
PID 3624 wrote to memory of 1156	3624	dllhost.exe	170
PID 3624 wrote to memory of 1156	3624	dllhost.exe	170
PID 3624 wrote to memory of 5480	3624	dllhost.exe	171
PID 3624 wrote to memory of 5480	3624	dllhost.exe	171

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbf9083762908e0056a1584ad1df9457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbf9083762908e0056a1584ad1df9457.exe
"C:\Users\Admin\AppData\Local\Temp\cbf9083762908e0056a1584ad1df9457.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0154351536fc379faee1/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/3ac54ddf2ad44faa6035cf/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YhsvDPADKl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4764
- - C:\3ac54ddf2ad44faa6035cf\dllhost.exe
    "C:\3ac54ddf2ad44faa6035cf\dllhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5384
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5bd549-f063-4e57-a981-0ea9e2758d98.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5624
    - - C:\3ac54ddf2ad44faa6035cf\dllhost.exe
        
        C:\3ac54ddf2ad44faa6035cf\dllhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e159159-3cb6-43b1-ba51-f45d4edffe15.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\3ac54ddf2ad44faa6035cf\dllhost.exe
        
        C:\3ac54ddf2ad44faa6035cf\dllhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358e716e-90de-4a5c-8060-f885d6da1462.vbs"
        8⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3597560-a7c7-4bcd-b0ce-af61dad927f3.vbs"
        8⤵
        
        PID:5480
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f750d8-09cb-48bb-84a6-7b7ff911c7df.vbs"
        6⤵
        
        PID:2272
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99084cf0-e944-4ff0-99a0-d385f19d2b82.vbs"
      4⤵
      PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\services.exe

Filesize
5.9MB

MD5
0f252672fecae5bcc722dfb8aa2fda08

SHA1
de6fb46fade154fb6fae44719c8633fbcc266a31

SHA256
62a97ac9b0454b65221b755d6042b7f6ef30d7514f7c3c55225563836394a2dd

SHA512
48130e41e80cf20b1e8bf2d1fdd661366fd8df1758332a4d7676bc4269052014535edf3652d3454e43b33fa7cff504e82eb43c6a987318b2d7f8c592cfead9f3

Download Submit
C:\3ac54ddf2ad44faa6035cf\Idle.exe

Filesize
5.9MB

MD5
cbf9083762908e0056a1584ad1df9457

SHA1
0baab27622e89f104420a8f28b43eed94b3b922d

SHA256
ecaf5a16ff5d2163193af68382c1539e94013e2965c331dcfe4c1111d2f7f4ab

SHA512
07dae15db1ea7d296d66187ef022a64f46057f57982e3124cad47e54f408caf40a3a87a41981a6916eac50705e68c1b65a2b18b202e0c171a7ef0204403aabca

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe

Filesize
5.9MB

MD5
aae899845e59e6fc462c9b4672ae7939

SHA1
212e0c3bc907f337d7db1b0e1e23ac7d7ba5c405

SHA256
6ed46aa2bfa4a4f50f1004b2b6113ab5dad50384ea33ff58b752a011f0d3bcc0

SHA512
d128d70ff0f35894d7279253fcf180e3cfcfb2ae64eea627845eb7690e9814ba690e8a5cebadf82a772d395cd483bf80e08e4b8adac35020f380d156e36874de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1641de9a10da75d35edf03caa25212c1

SHA1
af73f64f8ce476c8e4eb56bb40426552d34c1ca8

SHA256
5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2

SHA512
7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
52154da84516c927c4571b3afe748773

SHA1
9060e24b271895bb2fbdeb9bada32d387cbf1a46

SHA256
9b12f0d1478f34794f3427ca46c163a4000976db9be93cab681881d355047653

SHA512
22329f756bca4290e06021e2aca9d74e5237282ae27fdef82ee26ceaaa7d07320703754a619c39bc542b3e97dde709b664e96b53726da3fe28065836f3b315e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
091f20bbaff3637ace005fce1590be7b

SHA1
00d1ef232fc560231ff81adc227a8f2918235a29

SHA256
bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe

SHA512
ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Temp\358e716e-90de-4a5c-8060-f885d6da1462.vbs

Filesize
713B

MD5
e594cfef06c1d506a767157756fee9a3

SHA1
0541583d2abe8b9908921c8aea25e2f5475475dd

SHA256
3603e4ee8ae1d89cc0bd0de05fe321641f67f961f0579a1b714993a55dccb0f0

SHA512
9b6c7827572bb307fa5b8bf41f5c55b6ed0cb8d575c25f1f638dd44e9a727dfd019e093a4a32e6735cb66411b444f535e7949eaa84933ddfd2f9ada59c175d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e159159-3cb6-43b1-ba51-f45d4edffe15.vbs

Filesize
712B

MD5
9d6dae66d2b9243960cdb548f26126a4

SHA1
88270330b408540ee733979172b667bfa22e2ab6

SHA256
fff782755a39cc02830149d0f1cc423d152b91f130b5c846d8b280567ad6c7a9

SHA512
536601bc9266a427feea6cb1431b3a14c80ead098fc32c63601f27dcb5aa770d30de5bfa4ba4974df3e9c3f772978ee89c4492d840a7da44803880f656977fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\99084cf0-e944-4ff0-99a0-d385f19d2b82.vbs

Filesize
489B

MD5
302e7a2c27703a43024748581d8d0adb

SHA1
719969f403320119750cc3ef13f15b5a26ae5d40

SHA256
cc0b87367ca78e21840c350300f021a2bbdfdd3114dfc9cd95d797e4e505238b

SHA512
5775f9984a4e98748ebe9d052a470d9a9d0ba6bc02c62715a79a6ca70b3b4368dbf50347e086eed7f6a0c6e35b2ec5f4d1053c68c73e397872eff388e1753684

Download Submit
C:\Users\Admin\AppData\Local\Temp\YhsvDPADKl.bat

Filesize
202B

MD5
fcf628bbc8263d4a26cb075eaf1c4e8a

SHA1
c98953fb667387797c7ebe5b0722740e73ea2564

SHA256
9e2dab017aa896cb60d17760d51ea7c491cf861f76c2cde59b26f1ed30b05276

SHA512
89c5bbc0ef0946eccd020b5a7a3702d8ba68d459359d4182461ae8203969fe3cb5ebbdbdb4287af6732fe2e2fcd31ba032121a7ca84886a858cd098dc19f3f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yk1ze5iw.bur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea5bd549-f063-4e57-a981-0ea9e2758d98.vbs

Filesize
713B

MD5
fc0b07e1cc2817bd38e8a9df81c06544

SHA1
64c06928d649019dc37abbf5cfe701fa14f0438c

SHA256
8f6cea93c6c600ca8bdcfdc3c215546f22ffc279b04fb6fd45c57170fe41ceeb

SHA512
8a4c420f14f67665f7360db24f7b1f64e0b711e83b4d98bd537bc43455fd4cf03790140b8628aa42b4c3087d1afc3188935b55fce4a412830729cea58af1260d

Download Submit
memory/1700-206-0x000001930F250000-0x000001930F272000-memory.dmp

Filesize
136KB

Download
memory/3624-363-0x000000001C330000-0x000000001C342000-memory.dmp

Filesize
72KB

Download
memory/4060-16-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4060-21-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/4060-24-0x000000001C010000-0x000000001C022000-memory.dmp

Filesize
72KB

Download
memory/4060-26-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/4060-25-0x000000001C570000-0x000000001CA98000-memory.dmp

Filesize
5.2MB

Download
memory/4060-30-0x000000001C080000-0x000000001C08C000-memory.dmp

Filesize
48KB

Download
memory/4060-36-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

Filesize
56KB

Download
memory/4060-41-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/4060-40-0x000000001C320000-0x000000001C32A000-memory.dmp

Filesize
40KB

Download
memory/4060-39-0x000000001C310000-0x000000001C318000-memory.dmp

Filesize
32KB

Download
memory/4060-38-0x000000001C300000-0x000000001C30C000-memory.dmp

Filesize
48KB

Download
memory/4060-37-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

Filesize
32KB

Download
memory/4060-35-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

Filesize
32KB

Download
memory/4060-34-0x000000001C2B0000-0x000000001C2BE000-memory.dmp

Filesize
56KB

Download
memory/4060-33-0x000000001C2A0000-0x000000001C2AA000-memory.dmp

Filesize
40KB

Download
memory/4060-32-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/4060-31-0x000000001C2C0000-0x000000001C2C8000-memory.dmp

Filesize
32KB

Download
memory/4060-29-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/4060-28-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/4060-27-0x000000001C050000-0x000000001C05C000-memory.dmp

Filesize
48KB

Download
memory/4060-22-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/4060-20-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/4060-19-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/4060-17-0x000000001B860000-0x000000001B86A000-memory.dmp

Filesize
40KB

Download
memory/4060-18-0x000000001BFA0000-0x000000001BFF6000-memory.dmp

Filesize
344KB

Download
memory/4060-15-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/4060-0-0x00007FFFEBAB3000-0x00007FFFEBAB5000-memory.dmp

Filesize
8KB

Download
memory/4060-196-0x00007FFFEBAB0000-0x00007FFFEC571000-memory.dmp

Filesize
10.8MB

Download
memory/4060-14-0x0000000002C20000-0x0000000002C2C000-memory.dmp

Filesize
48KB

Download
memory/4060-8-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/4060-9-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/4060-10-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/4060-11-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

Filesize
88KB

Download
memory/4060-12-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/4060-13-0x0000000002BF0000-0x0000000002C02000-memory.dmp

Filesize
72KB

Download
memory/4060-5-0x0000000002B10000-0x0000000002B1E000-memory.dmp

Filesize
56KB

Download
memory/4060-6-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/4060-7-0x0000000002B90000-0x0000000002BAC000-memory.dmp

Filesize
112KB

Download
memory/4060-4-0x0000000001200000-0x000000000120E000-memory.dmp

Filesize
56KB

Download
memory/4060-3-0x00007FFFEBAB0000-0x00007FFFEC571000-memory.dmp

Filesize
10.8MB

Download
memory/4060-2-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/4060-1-0x0000000000130000-0x0000000000A28000-memory.dmp

Filesize
9.0MB

Download