dcrat | 5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e277271cc70bc12cb5a62950728025e8.exe
Size

5.9MB
MD5

e277271cc70bc12cb5a62950728025e8
SHA1

f49e565e7e17473bf473727846744436622083eb
SHA256

cabbb23bfd4c9f0ee454f1c072f963b938281c38dc7d14cfe62629e23f96dfda
SHA512

dcc1aff642ab495007d83906e3316cde8c0f36c1a902abf2c6bcd9991b1ee7fbecc3bb4e281ffc2f25d1e6c5531179deba529d177b757ab89e9a9872e2712feb
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:RyeU11Rvqmu8TWKnF6N/1wi

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5472	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5672	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4764	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4764	schtasks.exe	91

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3068	powershell.exe
560	powershell.exe
2132	powershell.exe
1476	powershell.exe
1572	powershell.exe
2844	powershell.exe
3504	powershell.exe
5532	powershell.exe
2824	powershell.exe
5564	powershell.exe
4944	powershell.exe
508	powershell.exe
1768	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e277271cc70bc12cb5a62950728025e8.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	e277271cc70bc12cb5a62950728025e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
3840	RuntimeBroker.exe
6116	RuntimeBroker.exe
6100	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e277271cc70bc12cb5a62950728025e8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
3840	RuntimeBroker.exe
3840	RuntimeBroker.exe
6116	RuntimeBroker.exe
6116	RuntimeBroker.exe
6100	RuntimeBroker.exe
6100	RuntimeBroker.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4312_927263671\sysmon.exe	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\edge_BITS_4312_927263671\RCXA554.tmp	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\edge_BITS_4312_927263671\RCXA565.tmp	e277271cc70bc12cb5a62950728025e8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe	e277271cc70bc12cb5a62950728025e8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\smss.exe	e277271cc70bc12cb5a62950728025e8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\69ddcba757bf72	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\edge_BITS_4312_927263671\sysmon.exe	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\RCXAA0B.tmp	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\RCXAA1C.tmp	e277271cc70bc12cb5a62950728025e8.exe
File created	C:\Program Files\edge_BITS_4312_927263671\121e5b5079f7c0	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RCXA33F.tmp	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RCXA350.tmp	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe	e277271cc70bc12cb5a62950728025e8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\smss.exe	e277271cc70bc12cb5a62950728025e8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\9e8d7a4ca61bd9	e277271cc70bc12cb5a62950728025e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e277271cc70bc12cb5a62950728025e8.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4224	schtasks.exe
3304	schtasks.exe
6128	schtasks.exe
1592	schtasks.exe
1148	schtasks.exe
1092	schtasks.exe
5924	schtasks.exe
5200	schtasks.exe
3440	schtasks.exe
428	schtasks.exe
5208	schtasks.exe
6068	schtasks.exe
6020	schtasks.exe
4644	schtasks.exe
5212	schtasks.exe
2548	schtasks.exe
5704	schtasks.exe
5672	schtasks.exe
4788	schtasks.exe
4192	schtasks.exe
4652	schtasks.exe
5472	schtasks.exe
3028	schtasks.exe
5160	schtasks.exe
2968	schtasks.exe
4564	schtasks.exe
4744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
508	powershell.exe
508	powershell.exe
4944	powershell.exe
4944	powershell.exe
1768	powershell.exe
1768	powershell.exe
2132	powershell.exe
2132	powershell.exe
5564	powershell.exe
5564	powershell.exe
2824	powershell.exe
2824	powershell.exe
1476	powershell.exe
1476	powershell.exe
2844	powershell.exe
2844	powershell.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
5532	powershell.exe
5532	powershell.exe
6120	e277271cc70bc12cb5a62950728025e8.exe
560	powershell.exe
560	powershell.exe
3504	powershell.exe
3504	powershell.exe
3068	powershell.exe
3068	powershell.exe
1572	powershell.exe
1572	powershell.exe
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	6120	e277271cc70bc12cb5a62950728025e8.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	5532	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3840	RuntimeBroker.exe
Token: SeDebugPrivilege	6116	RuntimeBroker.exe
Token: SeDebugPrivilege	6100	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 6120 wrote to memory of 508	6120	e277271cc70bc12cb5a62950728025e8.exe	121
PID 6120 wrote to memory of 508	6120	e277271cc70bc12cb5a62950728025e8.exe	121
PID 6120 wrote to memory of 4944	6120	e277271cc70bc12cb5a62950728025e8.exe	122
PID 6120 wrote to memory of 4944	6120	e277271cc70bc12cb5a62950728025e8.exe	122
PID 6120 wrote to memory of 5564	6120	e277271cc70bc12cb5a62950728025e8.exe	123
PID 6120 wrote to memory of 5564	6120	e277271cc70bc12cb5a62950728025e8.exe	123
PID 6120 wrote to memory of 1476	6120	e277271cc70bc12cb5a62950728025e8.exe	124
PID 6120 wrote to memory of 1476	6120	e277271cc70bc12cb5a62950728025e8.exe	124
PID 6120 wrote to memory of 2824	6120	e277271cc70bc12cb5a62950728025e8.exe	125
PID 6120 wrote to memory of 2824	6120	e277271cc70bc12cb5a62950728025e8.exe	125
PID 6120 wrote to memory of 2132	6120	e277271cc70bc12cb5a62950728025e8.exe	126
PID 6120 wrote to memory of 2132	6120	e277271cc70bc12cb5a62950728025e8.exe	126
PID 6120 wrote to memory of 560	6120	e277271cc70bc12cb5a62950728025e8.exe	127
PID 6120 wrote to memory of 560	6120	e277271cc70bc12cb5a62950728025e8.exe	127
PID 6120 wrote to memory of 5532	6120	e277271cc70bc12cb5a62950728025e8.exe	128
PID 6120 wrote to memory of 5532	6120	e277271cc70bc12cb5a62950728025e8.exe	128
PID 6120 wrote to memory of 3504	6120	e277271cc70bc12cb5a62950728025e8.exe	129
PID 6120 wrote to memory of 3504	6120	e277271cc70bc12cb5a62950728025e8.exe	129
PID 6120 wrote to memory of 2844	6120	e277271cc70bc12cb5a62950728025e8.exe	130
PID 6120 wrote to memory of 2844	6120	e277271cc70bc12cb5a62950728025e8.exe	130
PID 6120 wrote to memory of 3068	6120	e277271cc70bc12cb5a62950728025e8.exe	131
PID 6120 wrote to memory of 3068	6120	e277271cc70bc12cb5a62950728025e8.exe	131
PID 6120 wrote to memory of 1572	6120	e277271cc70bc12cb5a62950728025e8.exe	132
PID 6120 wrote to memory of 1572	6120	e277271cc70bc12cb5a62950728025e8.exe	132
PID 6120 wrote to memory of 1768	6120	e277271cc70bc12cb5a62950728025e8.exe	133
PID 6120 wrote to memory of 1768	6120	e277271cc70bc12cb5a62950728025e8.exe	133
PID 6120 wrote to memory of 3840	6120	e277271cc70bc12cb5a62950728025e8.exe	147
PID 6120 wrote to memory of 3840	6120	e277271cc70bc12cb5a62950728025e8.exe	147
PID 3840 wrote to memory of 3444	3840	RuntimeBroker.exe	149
PID 3840 wrote to memory of 3444	3840	RuntimeBroker.exe	149
PID 3840 wrote to memory of 3592	3840	RuntimeBroker.exe	150
PID 3840 wrote to memory of 3592	3840	RuntimeBroker.exe	150
PID 3444 wrote to memory of 6116	3444	WScript.exe	160
PID 3444 wrote to memory of 6116	3444	WScript.exe	160
PID 6116 wrote to memory of 3608	6116	RuntimeBroker.exe	161
PID 6116 wrote to memory of 3608	6116	RuntimeBroker.exe	161
PID 6116 wrote to memory of 2672	6116	RuntimeBroker.exe	162
PID 6116 wrote to memory of 2672	6116	RuntimeBroker.exe	162
PID 3608 wrote to memory of 6100	3608	WScript.exe	164
PID 3608 wrote to memory of 6100	3608	WScript.exe	164
PID 6100 wrote to memory of 448	6100	RuntimeBroker.exe	165
PID 6100 wrote to memory of 448	6100	RuntimeBroker.exe	165
PID 6100 wrote to memory of 3948	6100	RuntimeBroker.exe	166
PID 6100 wrote to memory of 3948	6100	RuntimeBroker.exe	166

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e277271cc70bc12cb5a62950728025e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e277271cc70bc12cb5a62950728025e8.exe
"C:\Users\Admin\AppData\Local\Temp\e277271cc70bc12cb5a62950728025e8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe
  "C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f23f9cc-e113-45b0-a92d-07a1ba4c47da.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe
      "C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:6116
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16c9e29c-33d4-4157-9e0a-1cce13a74698.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22a91b1a-5528-4a13-a23e-af57a0c13bdd.vbs"
        7⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ca43f5b-1ac9-491c-b10b-70fca5e33ef5.vbs"
        7⤵
        
        PID:3948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30dc5a22-0e7d-4f15-80fb-1a2f2d94cd31.vbs"
        5⤵
        
        PID:2672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccced3ed-f745-4f1c-b5e4-d68af8de68d8.vbs"
    3⤵
    PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4312_927263671\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4312_927263671\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4312_927263671\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe

Filesize
5.9MB

MD5
b41a8e0e1e9bf917c4a2131b6be76e44

SHA1
661678d4fabe8aaacd9556ecc62a9010e93139f4

SHA256
3aba0677eeed787fcf26ed5bb4f00d0ce2d9c9d42ae738fb0bc5b2bba2d83395

SHA512
468d8ccee3793d4e16ac1674bffd5493d0e6c6ff345a9e45fa66bbde5eaeaf6d70f5075fc7ba3d975d83c727be22eb07bb310f9cb4e38ff2d8bbbc53e30d38bf

Download Submit
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RuntimeBroker.exe

Filesize
5.9MB

MD5
e277271cc70bc12cb5a62950728025e8

SHA1
f49e565e7e17473bf473727846744436622083eb

SHA256
cabbb23bfd4c9f0ee454f1c072f963b938281c38dc7d14cfe62629e23f96dfda

SHA512
dcc1aff642ab495007d83906e3316cde8c0f36c1a902abf2c6bcd9991b1ee7fbecc3bb4e281ffc2f25d1e6c5531179deba529d177b757ab89e9a9872e2712feb

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
5.9MB

MD5
8fa652c2a83d548794c0dd1dc9087f73

SHA1
0ded471fa1657450fc5141a820ab11e14bcb36e8

SHA256
d529d101bc7527231f5a3c83c7973f838a9128544d3c74b877280b74f02e4436

SHA512
3357ba0f050b688a56d75b28d90651c21a70d97a875ef60061500c2a4552265fcc0918d6dc5b3c6f4547cfba96ee67176c090cea9615bc1ab0fca5c4e1357f4b

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
5.9MB

MD5
6ae47fd254c364fc1b5869330c9a4526

SHA1
578f1164f30ff39155b824db361c498a08857bb2

SHA256
3a8f0522cbfef7a0f04c580617998f88e62e0edaec486d9d92f3db86fae7815a

SHA512
bd528952e241574caf9098042e0dd397c8a2eea4fd2c4f5ce8da070a1d4939c1a717511500502f897bd1c69592de52a546877b4f3322532cb4eeb8834070540a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30a3d26182cecee39c4d71c88abeb93d

SHA1
7473af4fdd97dbaa00630a70b003b89ee5dd2410

SHA256
e987e43bbf07dc1c39447f43824d44ee3834306441a3ab751949671ea7900fda

SHA512
59bae5495a22e5816b39f9a5e16e4352d68bbf402a8b1ca0e43afd3a8fe9c8e72908520b99d066ff23ccc68fb8cf064b07caaafd075fd970cc2d62d132f396c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
03f50c7070ba1f54782f4ab1969e4753

SHA1
49d81d10c39e5262e0c5ede717d158928dfa8db7

SHA256
6f43b688400511d37e3df0415a140030ccd0b972bd91c364ac036d0ccb798613

SHA512
55e4849066cac0acef3a56183b1083ae594fcda62f3697a8300029a1db7f535b2df911fb67abfce881349c5fc66d3fc08e345ceb3e368dc9f1bd3e5541ad7941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94256212310a547ba240e2aa86468177

SHA1
f52a751219868220e86405aba60f0504332444be

SHA256
4ff13717087ef748699f1fd75630e1ff8d92694f4d2079826c7229608639c50a

SHA512
22efada6acfff168e1d60d5fbd9ae9b504a7eb52ae30e4a5b571880e9c8a4ff4dff7fbf453d5c7281e13b5d7ab9b4269f040dc1d58e523edf6de9496b4a0dd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ea4fdbf8bad883929456091a1e50194

SHA1
fc3b6026729ad36729c2cc4349b8e7a94255ad71

SHA256
ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

SHA512
27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15521808f89b47330dc44e0debfb369c

SHA1
f9ff45265173980d8f5ba51c3a68d1b36987db91

SHA256
287b79804eb7d558e133160a42beac75c8fcc49558f883adce9b0da42e2fc18f

SHA512
9479b6c6e58d08183bd968b22c07b0c640c15514f0a6b18d8befead8cb984e23939abcb9ecf69c068cf8105edbe6d9844c402e0b766887d90aa861da8ba2f79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
48b2b59bd1016475be4de4e087bb8169

SHA1
ecf9263187e29dc612224a6e1a4c5243ed110040

SHA256
df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209

SHA512
2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f532a56ff7168bf1c954233a1f87b6c

SHA1
379d43d676d92b455f62b4677389e488905a55c6

SHA256
0a23108d89a76df1d5c3b869dc77157c66ea2873346d7d7427fab9c49ec53f07

SHA512
3c07fd3e20ac3b58ca06f1db83a5e0120f6eee5acf69d2456f035975636d3777feaa00289cd84b9397c515def9db0add9c1f2c6b9e168568ccee009f7dc06769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
18d7861965ff5b759353d350980f2f18

SHA1
7e65f380273a0c3754af2b1c0b5b9377e0c6f77b

SHA256
9179c14c5e5d170a6a6ad522528f4f297860275e70613ec246945f553e51ba66

SHA512
8922419330fdef97267030c810a3c49f2fb539b9b3958937a2f7f3c7031435f4b8c8ac27ca6c1f6380f279d12309cfd8f3994c054cef5d77f95a20060e59404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16c9e29c-33d4-4157-9e0a-1cce13a74698.vbs

Filesize
762B

MD5
a6b56646d176be8ccd851df4168bf16c

SHA1
e3b87b4ed3f7add95be11353da72b0143b2c6d27

SHA256
c47dd0509fdfada2250ded0dcb50c5830ec045fc9c8172b9b7f336272845f44e

SHA512
2a2ef256da20f2d7236396474cff5a511485a6b59ecf3867134eb92dac263436aba6bc456b281750cfec3f8692eff24a0248a6ff21e2cd8c3a6fe38ea0bca180

Download Submit
C:\Users\Admin\AppData\Local\Temp\22a91b1a-5528-4a13-a23e-af57a0c13bdd.vbs

Filesize
762B

MD5
3dc9beefd9feef96d872cd6ac0adc3b2

SHA1
1acd05ef59e395b5cf5fe4f1b7e6e0c559dc2542

SHA256
de01572797fea3609552d6a5db8d425b0bda5df16b33baf17e6c707baa59833d

SHA512
ced5eee5724f57702eb9d9e12a182159d040e0fc756bd0f587986e54221ee5b027ce118df2a8dd8a5ab75f0239604cfde982d429b8bb02ddd81f125365c614d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f23f9cc-e113-45b0-a92d-07a1ba4c47da.vbs

Filesize
762B

MD5
1098ed660ee6742af65f0f914423e1fd

SHA1
854ed5c4de99ee94587b7839c6800af6998d0be4

SHA256
4c4af001e60529da0efd4c8cfa86ee2219342a15f5d62c1df9d802b13fd7a9c3

SHA512
020524afb08f52caab73d26a8be1ffef169c10e0722a1f14999174ae0dce79dcdbe5438f31fd682888b4b3e9553a906381de6f6327b5df7f91377feeadb9c58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25rnurdl.gzm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccced3ed-f745-4f1c-b5e4-d68af8de68d8.vbs

Filesize
538B

MD5
f70b08661158fa9a8b69a3b485cc6560

SHA1
38bcba711d98d8ebaf3d6a6d8dbcab0377f1d9b0

SHA256
aad858da0803e078b70f30d1dccc9e5717ac3e043870fc50cdeb7f454afe3f61

SHA512
ea0cdad217fabc1c7cf632ec56507cf35cfad8cf49bf33082e245ec8060c00a8b58af39a2f8ce5dd0606a3c57ad561faf774a363454cb3827d1ab5e5311a3a24

Download Submit
memory/508-228-0x00000116C2110000-0x00000116C2132000-memory.dmp

Filesize
136KB

Download
memory/6100-403-0x000000001D9B0000-0x000000001DA06000-memory.dmp

Filesize
344KB

Download
memory/6120-36-0x000000001DBB0000-0x000000001DBBE000-memory.dmp

Filesize
56KB

Download
memory/6120-20-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

Filesize
32KB

Download
memory/6120-25-0x000000001DE40000-0x000000001E368000-memory.dmp

Filesize
5.2MB

Download
memory/6120-26-0x000000001D910000-0x000000001D91C000-memory.dmp

Filesize
48KB

Download
memory/6120-27-0x000000001D920000-0x000000001D92C000-memory.dmp

Filesize
48KB

Download
memory/6120-29-0x000000001D940000-0x000000001D94C000-memory.dmp

Filesize
48KB

Download
memory/6120-28-0x000000001D930000-0x000000001D938000-memory.dmp

Filesize
32KB

Download
memory/6120-30-0x000000001D950000-0x000000001D95C000-memory.dmp

Filesize
48KB

Download
memory/6120-31-0x000000001DA60000-0x000000001DA68000-memory.dmp

Filesize
32KB

Download
memory/6120-32-0x000000001DA70000-0x000000001DA7C000-memory.dmp

Filesize
48KB

Download
memory/6120-0-0x00007FFFB7E33000-0x00007FFFB7E35000-memory.dmp

Filesize
8KB

Download
memory/6120-35-0x000000001DBA0000-0x000000001DBA8000-memory.dmp

Filesize
32KB

Download
memory/6120-33-0x000000001DB80000-0x000000001DB8A000-memory.dmp

Filesize
40KB

Download
memory/6120-34-0x000000001DB90000-0x000000001DB9E000-memory.dmp

Filesize
56KB

Download
memory/6120-38-0x000000001DBD0000-0x000000001DBDC000-memory.dmp

Filesize
48KB

Download
memory/6120-37-0x000000001DBC0000-0x000000001DBC8000-memory.dmp

Filesize
32KB

Download
memory/6120-39-0x000000001DBE0000-0x000000001DBE8000-memory.dmp

Filesize
32KB

Download
memory/6120-40-0x000000001DBF0000-0x000000001DBFA000-memory.dmp

Filesize
40KB

Download
memory/6120-41-0x000000001DC00000-0x000000001DC0C000-memory.dmp

Filesize
48KB

Download
memory/6120-21-0x000000001C0B0000-0x000000001C0BC000-memory.dmp

Filesize
48KB

Download
memory/6120-22-0x000000001D8D0000-0x000000001D8D8000-memory.dmp

Filesize
32KB

Download
memory/6120-24-0x000000001D8E0000-0x000000001D8F2000-memory.dmp

Filesize
72KB

Download
memory/6120-19-0x000000001C090000-0x000000001C09C000-memory.dmp

Filesize
48KB

Download
memory/6120-18-0x000000001D880000-0x000000001D8D6000-memory.dmp

Filesize
344KB

Download
memory/6120-17-0x000000001BE70000-0x000000001BE7A000-memory.dmp

Filesize
40KB

Download
memory/6120-275-0x00007FFFB7E33000-0x00007FFFB7E35000-memory.dmp

Filesize
8KB

Download
memory/6120-349-0x00007FFFB7E30000-0x00007FFFB88F1000-memory.dmp

Filesize
10.8MB

Download
memory/6120-16-0x000000001BE60000-0x000000001BE70000-memory.dmp

Filesize
64KB

Download
memory/6120-15-0x000000001BE50000-0x000000001BE58000-memory.dmp

Filesize
32KB

Download
memory/6120-14-0x000000001BE30000-0x000000001BE3C000-memory.dmp

Filesize
48KB

Download
memory/6120-13-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/6120-11-0x000000001BDB0000-0x000000001BDC6000-memory.dmp

Filesize
88KB

Download
memory/6120-12-0x000000001BDD0000-0x000000001BDD8000-memory.dmp

Filesize
32KB

Download
memory/6120-9-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/6120-10-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

Filesize
64KB

Download
memory/6120-8-0x000000001BDE0000-0x000000001BE30000-memory.dmp

Filesize
320KB

Download
memory/6120-6-0x0000000003690000-0x0000000003698000-memory.dmp

Filesize
32KB

Download
memory/6120-7-0x00000000036A0000-0x00000000036BC000-memory.dmp

Filesize
112KB

Download
memory/6120-5-0x0000000003680000-0x000000000368E000-memory.dmp

Filesize
56KB

Download
memory/6120-4-0x0000000003670000-0x000000000367E000-memory.dmp

Filesize
56KB

Download
memory/6120-3-0x00007FFFB7E30000-0x00007FFFB88F1000-memory.dmp

Filesize
10.8MB

Download
memory/6120-2-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/6120-1-0x0000000000950000-0x0000000001248000-memory.dmp

Filesize
9.0MB

Download