dcrat | add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f66f607b86f4db433d605d92d00531.exe
Size

1.6MB
MD5

21f66f607b86f4db433d605d92d00531
SHA1

f40284412b592f66288656c9883f1c740bfd6fab
SHA256

7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea
SHA512

9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5396	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	6116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	6116	schtasks.exe	88

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/1692-1-0x0000000000080000-0x0000000000222000-memory.dmp	dcrat
behavioral4/files/0x000700000002430d-26.dat	dcrat
behavioral4/files/0x000c000000024121-86.dat	dcrat
behavioral4/memory/2460-288-0x0000000000CD0000-0x0000000000E72000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5464	powershell.exe
2220	powershell.exe
1348	powershell.exe
2280	powershell.exe
2200	powershell.exe
4056	powershell.exe
2948	powershell.exe
5668	powershell.exe
2672	powershell.exe
936	powershell.exe
2016	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	21f66f607b86f4db433d605d92d00531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 12 IoCs

pid	Process
2460	dllhost.exe
5440	dllhost.exe
4748	dllhost.exe
1688	dllhost.exe
5656	dllhost.exe
432	dllhost.exe
748	dllhost.exe
4000	dllhost.exe
2716	dllhost.exe
5792	dllhost.exe
2200	dllhost.exe
1760	dllhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB9DC.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB9DD.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	21f66f607b86f4db433d605d92d00531.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\dllhost.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\ShellComponents\5940a34987c991	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ShellComponents\RCXB2F3.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ShellComponents\RCXB3CE.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ShellComponents\dllhost.exe	21f66f607b86f4db433d605d92d00531.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4940	schtasks.exe
4948	schtasks.exe
2136	schtasks.exe
4892	schtasks.exe
3216	schtasks.exe
4792	schtasks.exe
4748	schtasks.exe
4880	schtasks.exe
5552	schtasks.exe
6112	schtasks.exe
4448	schtasks.exe
4644	schtasks.exe
2396	schtasks.exe
2912	schtasks.exe
4924	schtasks.exe
4772	schtasks.exe
4428	schtasks.exe
4648	schtasks.exe
5708	schtasks.exe
4496	schtasks.exe
4520	schtasks.exe
3432	schtasks.exe
5396	schtasks.exe
4740	schtasks.exe
2876	schtasks.exe
2516	schtasks.exe
4836	schtasks.exe
4760	schtasks.exe
4676	schtasks.exe
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
1692	21f66f607b86f4db433d605d92d00531.exe
5464	powershell.exe
5464	powershell.exe
936	powershell.exe
936	powershell.exe
2672	powershell.exe
2672	powershell.exe
4056	powershell.exe
4056	powershell.exe
2280	powershell.exe
2280	powershell.exe
1348	powershell.exe
1348	powershell.exe
5668	powershell.exe
5668	powershell.exe
2220	powershell.exe
2220	powershell.exe
2280	powershell.exe
2200	powershell.exe
2200	powershell.exe
2948	powershell.exe
2948	powershell.exe
2016	powershell.exe
2016	powershell.exe
936	powershell.exe
5464	powershell.exe
5668	powershell.exe
2672	powershell.exe
4056	powershell.exe
2200	powershell.exe
2948	powershell.exe
2016	powershell.exe
1348	powershell.exe
2220	powershell.exe
2460	dllhost.exe
2460	dllhost.exe
5440	dllhost.exe
4748	dllhost.exe
1688	dllhost.exe
5656	dllhost.exe
432	dllhost.exe
432	dllhost.exe
748	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	5668	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2460	dllhost.exe
Token: SeDebugPrivilege	5440	dllhost.exe
Token: SeDebugPrivilege	4748	dllhost.exe
Token: SeDebugPrivilege	1688	dllhost.exe
Token: SeDebugPrivilege	5656	dllhost.exe
Token: SeDebugPrivilege	432	dllhost.exe
Token: SeDebugPrivilege	748	dllhost.exe
Token: SeDebugPrivilege	4000	dllhost.exe
Token: SeDebugPrivilege	2716	dllhost.exe
Token: SeDebugPrivilege	5792	dllhost.exe
Token: SeDebugPrivilege	2200	dllhost.exe
Token: SeDebugPrivilege	1760	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 5464	1692	21f66f607b86f4db433d605d92d00531.exe	122
PID 1692 wrote to memory of 5464	1692	21f66f607b86f4db433d605d92d00531.exe	122
PID 1692 wrote to memory of 2948	1692	21f66f607b86f4db433d605d92d00531.exe	123
PID 1692 wrote to memory of 2948	1692	21f66f607b86f4db433d605d92d00531.exe	123
PID 1692 wrote to memory of 4056	1692	21f66f607b86f4db433d605d92d00531.exe	124
PID 1692 wrote to memory of 4056	1692	21f66f607b86f4db433d605d92d00531.exe	124
PID 1692 wrote to memory of 2016	1692	21f66f607b86f4db433d605d92d00531.exe	125
PID 1692 wrote to memory of 2016	1692	21f66f607b86f4db433d605d92d00531.exe	125
PID 1692 wrote to memory of 936	1692	21f66f607b86f4db433d605d92d00531.exe	126
PID 1692 wrote to memory of 936	1692	21f66f607b86f4db433d605d92d00531.exe	126
PID 1692 wrote to memory of 2672	1692	21f66f607b86f4db433d605d92d00531.exe	128
PID 1692 wrote to memory of 2672	1692	21f66f607b86f4db433d605d92d00531.exe	128
PID 1692 wrote to memory of 5668	1692	21f66f607b86f4db433d605d92d00531.exe	130
PID 1692 wrote to memory of 5668	1692	21f66f607b86f4db433d605d92d00531.exe	130
PID 1692 wrote to memory of 2220	1692	21f66f607b86f4db433d605d92d00531.exe	131
PID 1692 wrote to memory of 2220	1692	21f66f607b86f4db433d605d92d00531.exe	131
PID 1692 wrote to memory of 2200	1692	21f66f607b86f4db433d605d92d00531.exe	132
PID 1692 wrote to memory of 2200	1692	21f66f607b86f4db433d605d92d00531.exe	132
PID 1692 wrote to memory of 2280	1692	21f66f607b86f4db433d605d92d00531.exe	133
PID 1692 wrote to memory of 2280	1692	21f66f607b86f4db433d605d92d00531.exe	133
PID 1692 wrote to memory of 1348	1692	21f66f607b86f4db433d605d92d00531.exe	134
PID 1692 wrote to memory of 1348	1692	21f66f607b86f4db433d605d92d00531.exe	134
PID 1692 wrote to memory of 2460	1692	21f66f607b86f4db433d605d92d00531.exe	144
PID 1692 wrote to memory of 2460	1692	21f66f607b86f4db433d605d92d00531.exe	144
PID 2460 wrote to memory of 3368	2460	dllhost.exe	146
PID 2460 wrote to memory of 3368	2460	dllhost.exe	146
PID 2460 wrote to memory of 2980	2460	dllhost.exe	147
PID 2460 wrote to memory of 2980	2460	dllhost.exe	147
PID 3368 wrote to memory of 5440	3368	WScript.exe	151
PID 3368 wrote to memory of 5440	3368	WScript.exe	151
PID 5440 wrote to memory of 4428	5440	dllhost.exe	152
PID 5440 wrote to memory of 4428	5440	dllhost.exe	152
PID 5440 wrote to memory of 4648	5440	dllhost.exe	153
PID 5440 wrote to memory of 4648	5440	dllhost.exe	153
PID 4428 wrote to memory of 4748	4428	WScript.exe	156
PID 4428 wrote to memory of 4748	4428	WScript.exe	156
PID 4748 wrote to memory of 5300	4748	dllhost.exe	157
PID 4748 wrote to memory of 5300	4748	dllhost.exe	157
PID 4748 wrote to memory of 348	4748	dllhost.exe	158
PID 4748 wrote to memory of 348	4748	dllhost.exe	158
PID 5300 wrote to memory of 1688	5300	WScript.exe	160
PID 5300 wrote to memory of 1688	5300	WScript.exe	160
PID 1688 wrote to memory of 1372	1688	dllhost.exe	161
PID 1688 wrote to memory of 1372	1688	dllhost.exe	161
PID 1688 wrote to memory of 3528	1688	dllhost.exe	162
PID 1688 wrote to memory of 3528	1688	dllhost.exe	162
PID 1372 wrote to memory of 5656	1372	WScript.exe	163
PID 1372 wrote to memory of 5656	1372	WScript.exe	163
PID 5656 wrote to memory of 3096	5656	dllhost.exe	164
PID 5656 wrote to memory of 3096	5656	dllhost.exe	164
PID 5656 wrote to memory of 1644	5656	dllhost.exe	165
PID 5656 wrote to memory of 1644	5656	dllhost.exe	165
PID 3096 wrote to memory of 432	3096	WScript.exe	166
PID 3096 wrote to memory of 432	3096	WScript.exe	166
PID 432 wrote to memory of 2284	432	dllhost.exe	167
PID 432 wrote to memory of 2284	432	dllhost.exe	167
PID 432 wrote to memory of 220	432	dllhost.exe	168
PID 432 wrote to memory of 220	432	dllhost.exe	168
PID 2284 wrote to memory of 748	2284	WScript.exe	170
PID 2284 wrote to memory of 748	2284	WScript.exe	170
PID 748 wrote to memory of 5508	748	dllhost.exe	171
PID 748 wrote to memory of 5508	748	dllhost.exe	171
PID 748 wrote to memory of 2688	748	dllhost.exe	172
PID 748 wrote to memory of 2688	748	dllhost.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe
"C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Recovery\WindowsRE\dllhost.exe
  "C:\Recovery\WindowsRE\dllhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f869ada6-040e-4d72-a21a-af9bb04c57c8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Recovery\WindowsRE\dllhost.exe
      C:\Recovery\WindowsRE\dllhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71e69f75-a091-4673-883c-ca5ebd0368e6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b64664-0d1f-460e-8454-8c9a729eb383.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5300
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6443f3e1-9aad-4dba-9505-1ff89c5727fb.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2227b1e4-b694-4148-8589-f1337988b864.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e42abec3-f25f-4459-a384-7248a526b8c5.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8608f9c6-f423-4e1d-9008-8c73b74788e7.vbs"
        15⤵
        
        PID:5508
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d6d458b-fded-4e62-860f-881fa279a71a.vbs"
        17⤵
        
        PID:704
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1db1bcc-567b-4b80-a502-e96404ef709b.vbs"
        19⤵
        
        PID:4156
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8127e10c-179e-4ff0-91cf-a6b1f8e3e11d.vbs"
        21⤵
        
        PID:5404
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0fbd1f-2da8-4ac5-912b-21a96457299a.vbs"
        23⤵
        
        PID:4852
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff5080d4-a2e5-428d-a9db-50b14bdd7eab.vbs"
        25⤵
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc74f2c1-ff1b-4f3d-881d-f31c4edd67d7.vbs"
        25⤵
        
        PID:6004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c723dec1-8211-488b-94e9-a3c47b9322e2.vbs"
        23⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4aeaac-d12b-494b-8a14-a29c3f3606e4.vbs"
        21⤵
        
        PID:5192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc9169d0-ad3c-4e29-8d3c-1f54b49791b4.vbs"
        19⤵
        
        PID:5896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c18d49a-e6f1-4c52-878a-1d5b078315f8.vbs"
        17⤵
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c6f0be3-ac6b-48a4-bfff-6b27fffe8a55.vbs"
        15⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4ecc999-ee56-4cd3-a282-03ceda40feed.vbs"
        13⤵
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d262708-043a-494f-b5ae-82b4236c066f.vbs"
        11⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31c0141f-ab97-4a01-a09d-09465d1992b9.vbs"
        9⤵
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba872ee5-ccf2-409d-ac37-45586ddef870.vbs"
        7⤵
        
        PID:348
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3df9f9e0-72d1-4dd9-95bb-10e6cfc162bc.vbs"
        5⤵
        
        PID:4648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55d2599e-3182-4bb0-a606-e5a1011959a2.vbs"
    3⤵
    PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXACC4.tmp

Filesize
1.6MB

MD5
ace2cb594c1d38df93527e64bb9fc20d

SHA1
853c9890a4203377c1e4945febe02d3a3230d1d7

SHA256
62daa5764e6cbcf7f13977f276547495a3f415561f1c7aa1be0299ce88d30a93

SHA512
c696cfea4e61b86a0163ec4eb00e691e6271468f4bbe6d148ad582404a1857007a891ede504d001da6ca78eed4b1751c0b6af8935a35369e36107940be2f5461

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.6MB

MD5
21f66f607b86f4db433d605d92d00531

SHA1
f40284412b592f66288656c9883f1c740bfd6fab

SHA256
7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea

SHA512
9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
643f98db244717856667bfd771e9db1c

SHA1
5434950e3506ae0cca216690c8fb5d2b38dd591d

SHA256
5e01aecf68e759cce4264330c3b7bc5b30b0d6c17718e558543c87530cf78256

SHA512
886d498dfce303f191b32d7001197aad7bd5eec12b5885ef620be32750902da2369536b10f451e712380bd7b420c051447b998d42f53ffae9b6a358c4db66a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f26021db51b2ceb0c03baf5665a86386

SHA1
5487265d705c72daa8495c543f2182a64b373da3

SHA256
56a4d25798b8d3102fec5025892dd6ff79500aee72db311e82b1308f1783db6f

SHA512
e09f018d22c3dee7ff7dbd6d79182e5c94be1aba0ceaeef3652d254712fa8393dc81002e20de3749abd3420ce0ed23dee176fa50eeaf80d6ee09a9dae2a1a49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ec1de5af22ee94e2a00a91da98957bd

SHA1
0ade5098be757a47adb6d5d0dbf576bcf41d6253

SHA256
540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

SHA512
8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7cfa57226f15f18e8c29720a8a6efc8b

SHA1
fef3b41b9715cd37a0bb9ab323fc9aa62158d55b

SHA256
53d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb

SHA512
d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820

Download Submit
C:\Users\Admin\AppData\Local\Temp\15b64664-0d1f-460e-8454-8c9a729eb383.vbs

Filesize
709B

MD5
4036f51c91e64345a8198334e536fdf6

SHA1
90c73bcb2148abbf20ea928e7236b710282c4647

SHA256
66668e5366a7e102120dbb850f3f1b0e153b793a2acac03f21070c11dafd6245

SHA512
2d37d4e5ab51bbb77766f67bd5e894a303f3735c7c86b0e8b6d5f88926fe653cb25df1c9c349dc7f5c9c217e536d124816df9e5d0cb29dc173969649e2247586

Download Submit
C:\Users\Admin\AppData\Local\Temp\2227b1e4-b694-4148-8589-f1337988b864.vbs

Filesize
709B

MD5
93a39d7653d68cfb6ac3568f63907a5c

SHA1
b9dd49de19015dd2f104c908684b3f8087290e2a

SHA256
429e5a777e7f7995d1a8dc554e615eeda05f4f703cc942b1e6a200f893eb6666

SHA512
67021db1be4d3f87c195a66b46383ab097bf7080679b70757d27873a1ebbdd212278a661dfc2519c0d8bbb0fc5cb2c8e9856aa51d63de696a641177d0b5d73cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d6d458b-fded-4e62-860f-881fa279a71a.vbs

Filesize
709B

MD5
13ba794f4eb2345618873f7bb80111fa

SHA1
848fbaffe3fd1e515d2eee05260c085b981db725

SHA256
cca8e0d79561ce44a72200f122e9c9e129ea93cf02ae15ba1e0804e58428e1b2

SHA512
a3928433b0c5eebea6582c15059e045d98a93de0f88904b1428a73808bbe40a291d547c80352881c84e139ba4567b42dbb9d3f2b25075ba167d9ec612385559f

Download Submit
C:\Users\Admin\AppData\Local\Temp\55d2599e-3182-4bb0-a606-e5a1011959a2.vbs

Filesize
485B

MD5
ae568b4eeb9c4e904c5dc4ed9f3b8f37

SHA1
69f13822124b9cf23e4453b82af180e1cce2710a

SHA256
870c155eb6c2a7495cd8564f78c34427702463e55d2279f70938f8084ad37a7b

SHA512
e5a1bd51de6ae738e601e419f75028363b9ed076ba83aff7a588cb9a3c2eed77267854f7e185834f07946ac67cc25af0a98f510aea34eac769a9f8e8a2b41c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\6443f3e1-9aad-4dba-9505-1ff89c5727fb.vbs

Filesize
709B

MD5
0cbd1a1c519384f4568e35c2188d49c9

SHA1
8008c27f85e6ec34cfce7cc451ebd21b772d37c8

SHA256
9d43ce6ffa77d73919325ccdbda3bd543d2966a2dc1a9073559f34b840fee109

SHA512
546b984562de3c2c1f102b04c323a4e4e68cc5f133b15df067bb13127526f830b3ebc3a5a6467f4daa94a67eca68c011cf55fcc033e1e27a980fde73803d6a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\71e69f75-a091-4673-883c-ca5ebd0368e6.vbs

Filesize
709B

MD5
bcec02d4523f6892f77ffb6a4a0db058

SHA1
55dfe2df01ed6576a630f022985eae42d80317a9

SHA256
154c3e9f1fa35f53be32df6828e4aea17759c126f32aacda0066a1a0d818c8a1

SHA512
b13a8dc7839b0d91f6f34d90fbaf7f5aac4425df951e2f01844b59038fe5559962578f8dd016318b7355ebc51a8b71e786bcab99a5e065d96564ccb7dcaa96b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8127e10c-179e-4ff0-91cf-a6b1f8e3e11d.vbs

Filesize
709B

MD5
0869d395f0f811f66200cb0d2fff734f

SHA1
dbc1de2740e8236ad2a4777dfbad6cedcad1c491

SHA256
9d20b305715d6c5fb6c521731c60d04e03601c0ba14f143993613ca30662f0df

SHA512
9fb6f7c335dd4f097087045bfddeefb770328fbe4fcde31452929937ce88097d2619243730aa0870e3cee552165a529d43618a205419711dc75eabb8246e1778

Download Submit
C:\Users\Admin\AppData\Local\Temp\8608f9c6-f423-4e1d-9008-8c73b74788e7.vbs

Filesize
708B

MD5
bbd324096c6c49e1ccab9e650cb1a39f

SHA1
f22c70f859130ee0833c3bb90edf52f9bafd6033

SHA256
9256e2d06bca3c05a5ccc976158ade5957a5b0e1467856a9a4cb532b0347ca52

SHA512
8c157219ce00a8c2c40fb313fc0c98fa938248a5e7db2e314c26a4cb6957b0c00b8a194c4eeec7ec6155e551b0255d3af65c6b1c3d8a4e4f98fa6a75749ca5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrrj0pax.2m5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1db1bcc-567b-4b80-a502-e96404ef709b.vbs

Filesize
709B

MD5
c5cca8a03f3c2b994583255bc3f0f790

SHA1
1dfa3dde9343cf0279491a2aa45655b2ccdf4b07

SHA256
9bbf10113fd5aa8a106abf0522eadd6c766c53b618f34eeb8e16428ba1e35a3e

SHA512
d9f2be2c3f8e3e3ca8d7e28f7b9e050eb58d429ce67de7258eb76e4064306a4fd565c7375043557320cf05f88f430f7563a777f2183b27f10fd96565ba868af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab0fbd1f-2da8-4ac5-912b-21a96457299a.vbs

Filesize
709B

MD5
e2667592aa3a69ee437352f49650f5ef

SHA1
a91165b9f9425c83b88bc43c83846ec67982abcd

SHA256
bb705334add00110005d88b2a7df2b48229c458253d3b18d1dd42907a5f90551

SHA512
1001cb0a2110199931022103309472a5e12c3796ba6ee12c9f708bc81230b76bc0cf16708bc34f289ea79adb004bb2f018c6dfe3cf4840fe388eb64d554b58eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e42abec3-f25f-4459-a384-7248a526b8c5.vbs

Filesize
708B

MD5
f8fc69dae0e19d22afd2d1aa5b801c61

SHA1
d594806f8a42200b8bec0747498bd928e9bfb878

SHA256
25842a52e310d630f317014c97580f68bbc8200e0506db7f4ffb403315496dd6

SHA512
2fb57b4ed1c425caafe284a54bfa70f0c21888b713ad27f88fdd7bb93424087819565f501c33248041646c766a368bee42d472888605bfdfd3e6e50b460aae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f869ada6-040e-4d72-a21a-af9bb04c57c8.vbs

Filesize
709B

MD5
1d35823913728c8b21079fcbbc9eff34

SHA1
d5705bc9c5b81d80f8c3533629b9218f102b032b

SHA256
ed58f4b485ffa0999646d52a762a01936a7581b301ce04c3e47d29a3c843c3bb

SHA512
5e20791082e3824160952a608cc03d2b343675f4423cb6bfc553b295bcaa5f5414970a4db175f6dfc033cd504070dfa813d293d01209c8176e9ef308f7d2200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff5080d4-a2e5-428d-a9db-50b14bdd7eab.vbs

Filesize
709B

MD5
7b7e0a92f3564195e71de88f1fbcaafc

SHA1
e9857d78cb978bad2adb22a6ce92c49ccf9899b6

SHA256
2fe1e51a23a7d3bc15f1a4b09d360cf7eb0b2b0ce7f31771e9aba4b72bc7150b

SHA512
110776c6b8ea290f54c90951b97aa41b13c7117497ba93f4f12dd961d830563b23cf7511eed5d053c3d0bd7722ddb59f7ee1a1c28a19dba3b80dfad7dfe82b75

Download Submit
memory/432-382-0x000000001C0C0000-0x000000001C1C2000-memory.dmp

Filesize
1.0MB

Download
memory/1688-357-0x000000001C680000-0x000000001C782000-memory.dmp

Filesize
1.0MB

Download
memory/1692-12-0x000000001AEC0000-0x000000001AECA000-memory.dmp

Filesize
40KB

Download
memory/1692-11-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/1692-1-0x0000000000080000-0x0000000000222000-memory.dmp

Filesize
1.6MB

Download
memory/1692-286-0x00007FFF3A983000-0x00007FFF3A985000-memory.dmp

Filesize
8KB

Download
memory/1692-2-0x00007FFF3A980000-0x00007FFF3B441000-memory.dmp

Filesize
10.8MB

Download
memory/1692-17-0x000000001B720000-0x000000001B72C000-memory.dmp

Filesize
48KB

Download
memory/1692-16-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/1692-13-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/1692-14-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/1692-15-0x000000001B700000-0x000000001B708000-memory.dmp

Filesize
32KB

Download
memory/1692-0-0x00007FFF3A983000-0x00007FFF3A985000-memory.dmp

Filesize
8KB

Download
memory/1692-289-0x00007FFF3A980000-0x00007FFF3B441000-memory.dmp

Filesize
10.8MB

Download
memory/1692-10-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/1692-9-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/1692-3-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

Filesize
112KB

Download
memory/1692-5-0x00000000009D0000-0x00000000009E0000-memory.dmp

Filesize
64KB

Download
memory/1692-6-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1692-7-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1692-8-0x000000001AE90000-0x000000001AEA0000-memory.dmp

Filesize
64KB

Download
memory/1692-4-0x000000001AEE0000-0x000000001AF30000-memory.dmp

Filesize
320KB

Download
memory/2460-288-0x0000000000CD0000-0x0000000000E72000-memory.dmp

Filesize
1.6MB

Download
memory/5464-185-0x000002126D8F0000-0x000002126D912000-memory.dmp

Filesize
136KB

Download
memory/5656-370-0x000000001C010000-0x000000001C112000-memory.dmp

Filesize
1.0MB

Download
memory/5656-369-0x000000001C010000-0x000000001C112000-memory.dmp

Filesize
1.0MB

Download