dcrat | add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f9b03d2df5b98862c4a8786e7c60b9.exe
Size

5.9MB
MD5

23f9b03d2df5b98862c4a8786e7c60b9
SHA1

e6fee163376604e213286ef0729e9d7b4333ff24
SHA256

d8d10225adab6ebd9664f4ea8238a53b39ebe518df431ec221859221815b1177
SHA512

f9dc66a4e101f09e2c59a364e439232fc89cd4040ffa920021bf3b93a5c45f6d74c03e88f029c5c7fa7a3b0685c6ace73340231faeb039d6f26408b7fab77461
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw48:RyeU11Rvqmu8TWKnF6N/1wB

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4668	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4668	schtasks.exe	89

UAC bypass 3 TTPs 9 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
668	powershell.exe
4420	powershell.exe
4440	powershell.exe
4756	powershell.exe
1164	powershell.exe
5116	powershell.exe
4088	powershell.exe
4408	powershell.exe
3488	powershell.exe
1388	powershell.exe
2016	powershell.exe
2948	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	23f9b03d2df5b98862c4a8786e7c60b9.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	23f9b03d2df5b98862c4a8786e7c60b9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	RuntimeBroker.exe
860	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
3664	RuntimeBroker.exe
3664	RuntimeBroker.exe
860	RuntimeBroker.exe
860	RuntimeBroker.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Program Files (x86)\Google\Update\9e8d7a4ca61bd9	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Program Files\Internet Explorer\uk-UA\dllhost.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Program Files\Internet Explorer\uk-UA\5940a34987c991	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\7a0fd90576e088	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX8B8A.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX976B.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCX94C9.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX96ED.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX8B79.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCX942C.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\dllhost.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\EventLog\Data\fontdrvhost.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Windows\en-US\RuntimeBroker.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe
File created	C:\Windows\en-US\9e8d7a4ca61bd9	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Windows\en-US\RCX91F7.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Windows\en-US\RCX9217.tmp	23f9b03d2df5b98862c4a8786e7c60b9.exe
File opened for modification	C:\Windows\en-US\RuntimeBroker.exe	23f9b03d2df5b98862c4a8786e7c60b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	23f9b03d2df5b98862c4a8786e7c60b9.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4252	schtasks.exe
1660	schtasks.exe
4872	schtasks.exe
3356	schtasks.exe
4812	schtasks.exe
3848	schtasks.exe
1720	schtasks.exe
4516	schtasks.exe
4080	schtasks.exe
1832	schtasks.exe
4148	schtasks.exe
4696	schtasks.exe
3492	schtasks.exe
1512	schtasks.exe
1924	schtasks.exe
5012	schtasks.exe
1132	schtasks.exe
3924	schtasks.exe
4452	schtasks.exe
4176	schtasks.exe
4188	schtasks.exe
4112	schtasks.exe
3900	schtasks.exe
456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
5008	powershell.exe
5008	powershell.exe
4420	powershell.exe
4420	powershell.exe
4408	powershell.exe
4408	powershell.exe
3488	powershell.exe
3488	powershell.exe
1164	powershell.exe
1164	powershell.exe
4440	powershell.exe
4440	powershell.exe
2016	powershell.exe
2016	powershell.exe
4088	powershell.exe
4088	powershell.exe
1388	powershell.exe
1388	powershell.exe
4756	powershell.exe
4756	powershell.exe
5116	powershell.exe
5116	powershell.exe
2948	powershell.exe
2948	powershell.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
668	powershell.exe
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	3664	RuntimeBroker.exe
Token: SeDebugPrivilege	860	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 5008	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	114
PID 2552 wrote to memory of 5008	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	114
PID 2552 wrote to memory of 4408	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	115
PID 2552 wrote to memory of 4408	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	115
PID 2552 wrote to memory of 3488	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	116
PID 2552 wrote to memory of 3488	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	116
PID 2552 wrote to memory of 668	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	117
PID 2552 wrote to memory of 668	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	117
PID 2552 wrote to memory of 4420	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	118
PID 2552 wrote to memory of 4420	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	118
PID 2552 wrote to memory of 4440	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	119
PID 2552 wrote to memory of 4440	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	119
PID 2552 wrote to memory of 1388	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	120
PID 2552 wrote to memory of 1388	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	120
PID 2552 wrote to memory of 2016	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	121
PID 2552 wrote to memory of 2016	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	121
PID 2552 wrote to memory of 4756	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	122
PID 2552 wrote to memory of 4756	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	122
PID 2552 wrote to memory of 2948	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	123
PID 2552 wrote to memory of 2948	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	123
PID 2552 wrote to memory of 1164	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	124
PID 2552 wrote to memory of 1164	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	124
PID 2552 wrote to memory of 5116	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	125
PID 2552 wrote to memory of 5116	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	125
PID 2552 wrote to memory of 4088	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	126
PID 2552 wrote to memory of 4088	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	126
PID 2552 wrote to memory of 3664	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	140
PID 2552 wrote to memory of 3664	2552	23f9b03d2df5b98862c4a8786e7c60b9.exe	140
PID 3664 wrote to memory of 4448	3664	RuntimeBroker.exe	141
PID 3664 wrote to memory of 4448	3664	RuntimeBroker.exe	141
PID 3664 wrote to memory of 5044	3664	RuntimeBroker.exe	142
PID 3664 wrote to memory of 5044	3664	RuntimeBroker.exe	142
PID 4448 wrote to memory of 860	4448	WScript.exe	157
PID 4448 wrote to memory of 860	4448	WScript.exe	157
PID 860 wrote to memory of 1688	860	RuntimeBroker.exe	158
PID 860 wrote to memory of 1688	860	RuntimeBroker.exe	158
PID 860 wrote to memory of 952	860	RuntimeBroker.exe	159
PID 860 wrote to memory of 952	860	RuntimeBroker.exe	159

System policy modification 1 TTPs 9 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23f9b03d2df5b98862c4a8786e7c60b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23f9b03d2df5b98862c4a8786e7c60b9.exe
"C:\Users\Admin\AppData\Local\Temp\23f9b03d2df5b98862c4a8786e7c60b9.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d9c22b4eaa3c0b9c12c7/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/dfe2e59cddd00040f555dab607351a1d/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Program Files (x86)\Google\Update\RuntimeBroker.exe
  "C:\Program Files (x86)\Google\Update\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df77fc10-2fa5-4f72-811a-b845c86f1b9d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Program Files (x86)\Google\Update\RuntimeBroker.exe
      "C:\Program Files (x86)\Google\Update\RuntimeBroker.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6ca110-1606-4945-ac59-15bc28f44e77.vbs"
        5⤵
        
        PID:1688
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2ffb94f-b002-4262-b3fe-30e3992a5295.vbs"
        5⤵
        
        PID:952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e87c21b8-2557-4a7d-8b0b-796721e5de19.vbs"
    3⤵
    PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23f9b03d2df5b98862c4a8786e7c60b92" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\23f9b03d2df5b98862c4a8786e7c60b9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23f9b03d2df5b98862c4a8786e7c60b9" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\23f9b03d2df5b98862c4a8786e7c60b9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23f9b03d2df5b98862c4a8786e7c60b92" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\23f9b03d2df5b98862c4a8786e7c60b9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\uk-UA\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe

Filesize
5.9MB

MD5
a5e877e68384a6d747e5940661c31d58

SHA1
2f3cb8e79c94a90a85e4c4f69cc5004194bd8bee

SHA256
30967b52f782e59c43045b211b2617bf8f4106da5aea5add9ba5cc7386084512

SHA512
c999e7f7b87b52e4a496eeea68e1c762da35006234e8fb188ded9c4129a24b028c83b4b35d40dd4732f5e9cb97fed2a39cc55382f28f87388422f538394453dd

Download Submit
C:\Program Files\Internet Explorer\uk-UA\dllhost.exe

Filesize
5.9MB

MD5
23f9b03d2df5b98862c4a8786e7c60b9

SHA1
e6fee163376604e213286ef0729e9d7b4333ff24

SHA256
d8d10225adab6ebd9664f4ea8238a53b39ebe518df431ec221859221815b1177

SHA512
f9dc66a4e101f09e2c59a364e439232fc89cd4040ffa920021bf3b93a5c45f6d74c03e88f029c5c7fa7a3b0685c6ace73340231faeb039d6f26408b7fab77461

Download Submit
C:\ProgramData\ssh\dllhost.exe

Filesize
5.9MB

MD5
a0ac47a141ad55bd004c02deb5cb9cf4

SHA1
f475e72f7056d60ac1ba4ac69cb4399eacaab6a7

SHA256
4da2b82f6e4f65e4a7e1a1dd6a76eef26aaaa152a38e71e81a129fce0b03db93

SHA512
eba588fe7f53478abd0c3b7578f4c82eef29e77be80e7d89cf0d0d714ae62f67ffba37dc063a0eb281a33d9c2e8f1d68bc4a6362ffd41db0a1a0e8bbe2cf8ca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e912b11f067dfdc49fa5eec88bfb74dd

SHA1
9eb1e129867c685d0c6c3ca18e677a6da2eb3c0d

SHA256
16b497f7b55339f9dbed02d0c4a7eccd490335a253cf41ebb611e7867c35f4a5

SHA512
b2e3bdd21857af9d568b7a87c088f6ab07eac8366fbeaaa27c6bebed7e90eaa024214cfb29d1f1379ad806bb63c06b61bd7c9c4ea53636d78914ae47c09950d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
400965c5c8206c7b519873fb3aa3aebf

SHA1
0764aa4c62cc242ede7ec00e36539c20e17e5565

SHA256
e8a339e9d5f5699e83419d2fb336577a101a4cd31df7ddd8c71a88dec1593b04

SHA512
32b7c0f5745c3cbb291642e96ce907d0d71f986f0fb1f55f2c5f56dd76d9243d8ca936a7e81c0ef3962d5daf25d51bd93c5de77cdf9c3ed74101e3056e510369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc05a4f71923730b4eed5cb63f86aeed

SHA1
798199489ad94c55021a92ec812b320ed90b5711

SHA256
557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650

SHA512
fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1cktz0j.it1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf6ca110-1606-4945-ac59-15bc28f44e77.vbs

Filesize
729B

MD5
95479d892b7a73ff1d7ceab31ca62431

SHA1
d53710428861a8800c98a355716e99b5a8944494

SHA256
8cafb58fa1dcf1d60e2f5c15bc9cc769a593c54b12fad563ad08a1cf4add8297

SHA512
653d83efa419f0687f45889ea76b6f7d4f15abf2946d308f9c7a8f0fa1006210aa38590e8fd8bf5ed77a01168d48bdb6c37acbd9ce94508910c343ed5f4af949

Download Submit
C:\Users\Admin\AppData\Local\Temp\df77fc10-2fa5-4f72-811a-b845c86f1b9d.vbs

Filesize
730B

MD5
ee7d77729e46ad109400375ed621941a

SHA1
4108d350ef85d76428bb99f34cd7275a6efcaece

SHA256
7b838c86e0b77f6c45f6b1286acb1b5554bf1d33c2cc6752d609fa9612e54af4

SHA512
f4bd4e2495d1fb2960354987c22594c74a6a31db025082eadf324cef8751a0fa00d721960ac5377afb934e03b277b93957b629862d5082813f1bf5d726853c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\e87c21b8-2557-4a7d-8b0b-796721e5de19.vbs

Filesize
506B

MD5
b58bdc23f852f7809a8f7149c171541b

SHA1
2f8e1dca19893e24c1b8e6afdca72a67e2157920

SHA256
a86494f9359c41a0182bbba4ffd70052eebd1b9965ff42a07da6afdaa4aabb25

SHA512
7acecc8a97e9520abb319e4abbc2b4e385396e503fc764507e7cdd9db28a3f7f39e10ca194c85a2e30a78e7fa628e715dc5c5554d70a561437af72a5cf45540a

Download Submit
memory/860-398-0x000000001E0C0000-0x000000001E0D2000-memory.dmp

Filesize
72KB

Download
memory/952-411-0x000001F1D7450000-0x000001F1D748B000-memory.dmp

Filesize
236KB

Download
memory/1688-410-0x000001FD1FE20000-0x000001FD1FE5B000-memory.dmp

Filesize
236KB

Download
memory/2552-24-0x000000001C6F0000-0x000000001C702000-memory.dmp

Filesize
72KB

Download
memory/2552-21-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/2552-41-0x000000001CA10000-0x000000001CA1C000-memory.dmp

Filesize
48KB

Download
memory/2552-40-0x000000001CA00000-0x000000001CA0A000-memory.dmp

Filesize
40KB

Download
memory/2552-39-0x000000001C9F0000-0x000000001C9F8000-memory.dmp

Filesize
32KB

Download
memory/2552-38-0x000000001C9D0000-0x000000001C9DC000-memory.dmp

Filesize
48KB

Download
memory/2552-37-0x000000001C9C0000-0x000000001C9C8000-memory.dmp

Filesize
32KB

Download
memory/2552-35-0x000000001C9A0000-0x000000001C9A8000-memory.dmp

Filesize
32KB

Download
memory/2552-34-0x000000001C990000-0x000000001C99E000-memory.dmp

Filesize
56KB

Download
memory/2552-33-0x000000001C980000-0x000000001C98A000-memory.dmp

Filesize
40KB

Download
memory/2552-32-0x000000001C970000-0x000000001C97C000-memory.dmp

Filesize
48KB

Download
memory/2552-31-0x000000001C9E0000-0x000000001C9E8000-memory.dmp

Filesize
32KB

Download
memory/2552-29-0x000000001C750000-0x000000001C75C000-memory.dmp

Filesize
48KB

Download
memory/2552-28-0x000000001C740000-0x000000001C748000-memory.dmp

Filesize
32KB

Download
memory/2552-27-0x000000001C730000-0x000000001C73C000-memory.dmp

Filesize
48KB

Download
memory/2552-25-0x000000001CC50000-0x000000001D178000-memory.dmp

Filesize
5.2MB

Download
memory/2552-20-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/2552-9-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/2552-8-0x000000001BC40000-0x000000001BC90000-memory.dmp

Filesize
320KB

Download
memory/2552-30-0x000000001C760000-0x000000001C76C000-memory.dmp

Filesize
48KB

Download
memory/2552-7-0x00000000030F0000-0x000000000310C000-memory.dmp

Filesize
112KB

Download
memory/2552-6-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/2552-26-0x000000001C720000-0x000000001C72C000-memory.dmp

Filesize
48KB

Download
memory/2552-36-0x000000001C9B0000-0x000000001C9BE000-memory.dmp

Filesize
56KB

Download
memory/2552-1-0x00000000006A0000-0x0000000000F98000-memory.dmp

Filesize
9.0MB

Download
memory/2552-22-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/2552-335-0x00007FF968130000-0x00007FF968BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-0-0x00007FF968133000-0x00007FF968135000-memory.dmp

Filesize
8KB

Download
memory/2552-10-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/2552-11-0x0000000003130000-0x0000000003146000-memory.dmp

Filesize
88KB

Download
memory/2552-19-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/2552-12-0x0000000003150000-0x0000000003158000-memory.dmp

Filesize
32KB

Download
memory/2552-15-0x000000001BCB0000-0x000000001BCB8000-memory.dmp

Filesize
32KB

Download
memory/2552-18-0x000000001C6A0000-0x000000001C6F6000-memory.dmp

Filesize
344KB

Download
memory/2552-16-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

Filesize
64KB

Download
memory/2552-17-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

Filesize
40KB

Download
memory/2552-2-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/2552-14-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/2552-13-0x000000001BC90000-0x000000001BCA2000-memory.dmp

Filesize
72KB

Download
memory/2552-3-0x00007FF968130000-0x00007FF968BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-5-0x0000000001780000-0x000000000178E000-memory.dmp

Filesize
56KB

Download
memory/2552-4-0x0000000001770000-0x000000000177E000-memory.dmp

Filesize
56KB

Download
memory/3664-362-0x000000001D5B0000-0x000000001D606000-memory.dmp

Filesize
344KB

Download
memory/4420-211-0x0000028EFA810000-0x0000028EFA832000-memory.dmp

Filesize
136KB

Download
memory/4448-372-0x000001DFA09C0000-0x000001DFA09FB000-memory.dmp

Filesize
236KB

Download
memory/5044-373-0x0000025BB8740000-0x0000025BB877B000-memory.dmp

Filesize
236KB

Download