dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Size

1.6MB
MD5

e9a51358da08f22af241931abad598ae
SHA1

04afc75b8bd8a406d03b844292ac955499feb7bf
SHA256

301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db
SHA512

fe3c8a7ecca641122815dc2ecdaec54811318291df3fd278a9516e5a87b95b76b92caef20efbdf382bf286fa5d3d71ddc35d53a8097b5972e8c03a7b1cc36eab
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4880	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	4880	schtasks.exe	88

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/1504-1-0x0000000000670000-0x0000000000812000-memory.dmp	dcrat
behavioral30/files/0x0007000000024264-26.dat	dcrat
behavioral30/files/0x00110000000240a2-103.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4836	powershell.exe
5376	powershell.exe
6056	powershell.exe
5344	powershell.exe
2380	powershell.exe
3608	powershell.exe
1052	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 14 IoCs

pid	Process
5888	sihost.exe
4548	sihost.exe
2000	sihost.exe
2808	sihost.exe
1616	sihost.exe
1796	sihost.exe
2992	sihost.exe
1784	sihost.exe
412	sihost.exe
2168	sihost.exe
5824	sihost.exe
4532	sihost.exe
2316	sihost.exe
2856	sihost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4860_1146586963\RCX5F7D.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\edge_BITS_4860_1146586963\RCX5F8E.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCX63A8.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCX6416.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\22eafd247d37c3	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\edge_BITS_4860_1146586963\sihost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\edge_BITS_4860_1146586963\sihost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\edge_BITS_4860_1146586963\66fc9ff0ee96c2	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\upfc.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\Cursors\upfc.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\Cursors\ea1d8f6d871115	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\Cursors\RCX593E.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\Cursors\RCX593F.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4916	schtasks.exe
2976	schtasks.exe
5264	schtasks.exe
4448	schtasks.exe
5060	schtasks.exe
6016	schtasks.exe
4796	schtasks.exe
2544	schtasks.exe
5028	schtasks.exe
6128	schtasks.exe
676	schtasks.exe
4960	schtasks.exe
5016	schtasks.exe
916	schtasks.exe
4820	schtasks.exe
6060	schtasks.exe
4204	schtasks.exe
5048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
5376	powershell.exe
5376	powershell.exe
4836	powershell.exe
4836	powershell.exe
6056	powershell.exe
6056	powershell.exe
1052	powershell.exe
1052	powershell.exe
5344	powershell.exe
5344	powershell.exe
3608	powershell.exe
3608	powershell.exe
2380	powershell.exe
2380	powershell.exe
1052	powershell.exe
3608	powershell.exe
6056	powershell.exe
5376	powershell.exe
2380	powershell.exe
4836	powershell.exe
5344	powershell.exe
5888	sihost.exe
4548	sihost.exe
2000	sihost.exe
2000	sihost.exe
2808	sihost.exe
2808	sihost.exe
1616	sihost.exe
1616	sihost.exe
1796	sihost.exe
1796	sihost.exe
2992	sihost.exe
2992	sihost.exe
1784	sihost.exe
412	sihost.exe
412	sihost.exe
2168	sihost.exe
2168	sihost.exe
5824	sihost.exe
4532	sihost.exe
4532	sihost.exe
2316	sihost.exe
2316	sihost.exe
2856	sihost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	5888	sihost.exe
Token: SeDebugPrivilege	4548	sihost.exe
Token: SeDebugPrivilege	2000	sihost.exe
Token: SeDebugPrivilege	2808	sihost.exe
Token: SeDebugPrivilege	1616	sihost.exe
Token: SeDebugPrivilege	1796	sihost.exe
Token: SeDebugPrivilege	2992	sihost.exe
Token: SeDebugPrivilege	1784	sihost.exe
Token: SeDebugPrivilege	412	sihost.exe
Token: SeDebugPrivilege	2168	sihost.exe
Token: SeDebugPrivilege	5824	sihost.exe
Token: SeDebugPrivilege	4532	sihost.exe
Token: SeDebugPrivilege	2316	sihost.exe
Token: SeDebugPrivilege	2856	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 6056	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	107
PID 1504 wrote to memory of 6056	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	107
PID 1504 wrote to memory of 5376	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	108
PID 1504 wrote to memory of 5376	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	108
PID 1504 wrote to memory of 4836	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	109
PID 1504 wrote to memory of 4836	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	109
PID 1504 wrote to memory of 5344	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	111
PID 1504 wrote to memory of 5344	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	111
PID 1504 wrote to memory of 1052	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	112
PID 1504 wrote to memory of 1052	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	112
PID 1504 wrote to memory of 3608	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	113
PID 1504 wrote to memory of 3608	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	113
PID 1504 wrote to memory of 2380	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	115
PID 1504 wrote to memory of 2380	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	115
PID 1504 wrote to memory of 4636	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	121
PID 1504 wrote to memory of 4636	1504	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	121
PID 4636 wrote to memory of 2548	4636	cmd.exe	123
PID 4636 wrote to memory of 2548	4636	cmd.exe	123
PID 4636 wrote to memory of 5888	4636	cmd.exe	124
PID 4636 wrote to memory of 5888	4636	cmd.exe	124
PID 5888 wrote to memory of 4748	5888	sihost.exe	126
PID 5888 wrote to memory of 4748	5888	sihost.exe	126
PID 5888 wrote to memory of 2292	5888	sihost.exe	127
PID 5888 wrote to memory of 2292	5888	sihost.exe	127
PID 4748 wrote to memory of 4548	4748	WScript.exe	130
PID 4748 wrote to memory of 4548	4748	WScript.exe	130
PID 4548 wrote to memory of 4268	4548	sihost.exe	134
PID 4548 wrote to memory of 4268	4548	sihost.exe	134
PID 4548 wrote to memory of 3596	4548	sihost.exe	135
PID 4548 wrote to memory of 3596	4548	sihost.exe	135
PID 4268 wrote to memory of 2000	4268	WScript.exe	144
PID 4268 wrote to memory of 2000	4268	WScript.exe	144
PID 2000 wrote to memory of 1496	2000	sihost.exe	146
PID 2000 wrote to memory of 1496	2000	sihost.exe	146
PID 2000 wrote to memory of 1632	2000	sihost.exe	147
PID 2000 wrote to memory of 1632	2000	sihost.exe	147
PID 1496 wrote to memory of 2808	1496	WScript.exe	148
PID 1496 wrote to memory of 2808	1496	WScript.exe	148
PID 2808 wrote to memory of 4836	2808	sihost.exe	150
PID 2808 wrote to memory of 4836	2808	sihost.exe	150
PID 2808 wrote to memory of 2712	2808	sihost.exe	151
PID 2808 wrote to memory of 2712	2808	sihost.exe	151
PID 4836 wrote to memory of 1616	4836	WScript.exe	153
PID 4836 wrote to memory of 1616	4836	WScript.exe	153
PID 1616 wrote to memory of 2416	1616	sihost.exe	155
PID 1616 wrote to memory of 2416	1616	sihost.exe	155
PID 1616 wrote to memory of 2212	1616	sihost.exe	156
PID 1616 wrote to memory of 2212	1616	sihost.exe	156
PID 2416 wrote to memory of 1796	2416	WScript.exe	157
PID 2416 wrote to memory of 1796	2416	WScript.exe	157
PID 1796 wrote to memory of 5556	1796	sihost.exe	159
PID 1796 wrote to memory of 5556	1796	sihost.exe	159
PID 1796 wrote to memory of 5380	1796	sihost.exe	160
PID 1796 wrote to memory of 5380	1796	sihost.exe	160
PID 5556 wrote to memory of 2992	5556	WScript.exe	161
PID 5556 wrote to memory of 2992	5556	WScript.exe	161
PID 2992 wrote to memory of 1392	2992	sihost.exe	163
PID 2992 wrote to memory of 1392	2992	sihost.exe	163
PID 2992 wrote to memory of 5016	2992	sihost.exe	164
PID 2992 wrote to memory of 5016	2992	sihost.exe	164
PID 1392 wrote to memory of 1784	1392	WScript.exe	166
PID 1392 wrote to memory of 1784	1392	WScript.exe	166
PID 1784 wrote to memory of 2924	1784	sihost.exe	168
PID 1784 wrote to memory of 2924	1784	sihost.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
"C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4860_1146586963\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q1IAg9p0i7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2548
- - C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
    "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5888
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2938e3-1a3b-4ffd-a4c7-3487d2e62e85.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8d30451-cf1f-44db-87ab-b4b9f03fc711.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b48f5083-3c44-4084-8332-50da6837832b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\415c49bd-5741-450a-81de-5c65573a08a7.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b14917f8-5a89-4f00-9d6f-541b61c116d5.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e5b5c81-d485-411f-8d6b-24c782b8f007.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5556
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c03926f-e86c-4287-8bfc-248ad8651bb7.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0e8068a-a01d-4965-9405-3226877cfd0b.vbs"
        18⤵
        
        PID:2924
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2614075-508a-461e-aa84-a7fdc0722d28.vbs"
        20⤵
        
        PID:116
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97988c95-8ebc-47ec-95e5-0d745e10a534.vbs"
        22⤵
        
        PID:2320
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8ece67-9937-4774-a366-4cc058cc79f0.vbs"
        24⤵
        
        PID:2704
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d64f0579-bb3b-4d21-abe5-ca99c129f268.vbs"
        26⤵
        
        PID:1796
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84594aa2-af65-4497-a3e3-1ef66dc5f25c.vbs"
        28⤵
        
        PID:5664
        
        C:\Program Files\edge_BITS_4860_1146586963\sihost.exe
        
        "C:\Program Files\edge_BITS_4860_1146586963\sihost.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b904936-f38e-40de-9b6a-dded6411a5e3.vbs"
        30⤵
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc86a7db-4a7a-42ac-b80f-15d01d02223c.vbs"
        30⤵
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4b4979-8252-4a2f-81e5-2db581d570ce.vbs"
        28⤵
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62b26356-daa4-4dfe-8349-b34120f0a015.vbs"
        26⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8d0a781-a89b-4842-9acf-2d8f37ba8db6.vbs"
        24⤵
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f04a024-d03a-4e96-a77b-3317c287e9ac.vbs"
        22⤵
        
        PID:4616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6748dd24-fdcc-474f-b47e-365ee0142ba2.vbs"
        20⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1be1b59-19ac-44e9-92ab-7e9fb9cd7ad8.vbs"
        18⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8bde697-c408-4992-8e0d-0ccb301aee9f.vbs"
        16⤵
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3244a8c1-b11b-4ec7-aadc-b17f98f8ccea.vbs"
        14⤵
        
        PID:5380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\488a6647-f94c-4170-ba71-44ecd52fc991.vbs"
        12⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b62dea6-c576-4cdb-b984-5decb45b1298.vbs"
        10⤵
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4708f058-a02b-4e9e-9fb5-980d8d499231.vbs"
        8⤵
        
        PID:1632
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68425f3c-3823-40e9-9b5b-24286857af94.vbs"
        6⤵
        
        PID:3596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\699060dc-502e-4ba0-bac6-8c20e04addf6.vbs"
      4⤵
      PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Cursors\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\34c553de294c1d56d0a800105b\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4860_1146586963\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4860_1146586963\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4860_1146586963\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\TextInputHost.exe

Filesize
1.6MB

MD5
75cc3c0bc87c3fe4ef7167cac816169c

SHA1
1b5430714cf42f19591073eea279d9a3865712a5

SHA256
47ebf524a962362042385c90e5e3d3420251f723710d2399ed610f8953db484d

SHA512
4f6b288cdb94984e9704bec1a4973c7c77d3ab38a92169f6ebf1203e326b35916b2df39bb228b69527275eac9cb57b8479ec10df977140f68a592b6d5db15d65

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.6MB

MD5
e9a51358da08f22af241931abad598ae

SHA1
04afc75b8bd8a406d03b844292ac955499feb7bf

SHA256
301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db

SHA512
fe3c8a7ecca641122815dc2ecdaec54811318291df3fd278a9516e5a87b95b76b92caef20efbdf382bf286fa5d3d71ddc35d53a8097b5972e8c03a7b1cc36eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc1d0291bbd8e80c9703fb1f4b4d14dc

SHA1
084009b8f1e67e03c9b7333293fbc00d3617948e

SHA256
4a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a

SHA512
75672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
585ae509b29294ceb1637c32af422246

SHA1
e21edbd701684feb5ae759179580b7112b49e5c0

SHA256
364297915313f721d05e88312a8ad352c1edc72833b320c04cb640ecd4544cc1

SHA512
b484e5f7b67cdd752800ba2e4240329dfe0fd83bf01cbad869f8a3d7c9ab041e400c421ddc7652634067af8d8eb7c21a1e48420ee2685f9d7d914ecc57572b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb7fc2c643e952a1d3241b5fac8ef241

SHA1
4310dc08d34678c0a48c7cacb94f313f9fdd3720

SHA256
7ac9e52f11de3f117d7a7f1bda793dd60756b764e4f0217ff87c66a20bf96d16

SHA512
8ceb0a588e3b3cabf9edf80dbfbc24b1f3fb2f379e3cf9262c6ba762ab1d5b89d4f394a67c2756f58e7bd879ab94e232e41bd7d8c611fcfcca976fb3188f3099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
084d49c16a0db5a169356315e8e97d83

SHA1
af662c8666ef7c52c9711c0f143e0b8620f27d19

SHA256
a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2

SHA512
c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c03926f-e86c-4287-8bfc-248ad8651bb7.vbs

Filesize
729B

MD5
53e9368c92936d83ffd3d59cc1f7b559

SHA1
35d7cc59651d1cb007786c870e92359ccee0473f

SHA256
7026abe14c2fdd43830d7691f17e0e85df2c98382b413fc261af55f3cd775b9f

SHA512
8d3aaa677db95e40c9a2894c36d61a8eb6f751844bbd6383b723ae61308a6cb66dbb06a257161b8f68af4b304ad3e544f16c62e6478281f25af897c194f63444

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e8ece67-9937-4774-a366-4cc058cc79f0.vbs

Filesize
729B

MD5
3ea111be1c115b58203137ec6d8ba0fb

SHA1
74f3cd03497dc82111265c11a5fc4725ddf319b0

SHA256
b706f3dd09a2f895997f0f1ca9db6c9b59a80902e987edecd4fcf5220509cb70

SHA512
ea2fd19fa1a5521fa6bbad97dccaa2632436aef933caf92aad33c125843d0dca3bb93ce36946fb1381a69abc2ec744ed6879125a5be7466470624d0ea70c7a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\415c49bd-5741-450a-81de-5c65573a08a7.vbs

Filesize
729B

MD5
0653582c98be1b7e5158bff40f40810d

SHA1
0eb64217bafa6c1c249cb5fefa92aa30dbad6378

SHA256
bee9677fb33da9a1a10c5e4187734e314a6b29b3934e1442145634886f2d75ea

SHA512
e693a3a49b6e04c66d7c4a6a6b785ed26edb4ec39c87d8384e76254890cd29fef9e6c8b6985ef813f1159446d67b1586e4e3c621314bea43e2768ba8d7797ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\699060dc-502e-4ba0-bac6-8c20e04addf6.vbs

Filesize
505B

MD5
52ef1bfb8ba3ee9c430145f679c1e66b

SHA1
0942ce189a9a85e854c25d584d8b891613ca895a

SHA256
e6c08a8fc6fa81f825c36ab34965757ec83d9d14145d9b3f9626f0173afc3896

SHA512
4419875abe2a472b7827cbc9226e8aa891afc7f56035fa16093f377e4a20f4f3a58f2e1e3d708068fc5e1c1ec31c92950ebf7c0ae23378e2fca59c49b5f43f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b904936-f38e-40de-9b6a-dded6411a5e3.vbs

Filesize
729B

MD5
482265eb84a1c3bea9be50b87872ed3f

SHA1
98f7db7869b92737e62fd459edd81364fda03d5b

SHA256
4fcf6b73de012ba2fa7c8cab162615f99640b7a6b059b5e5b100145a3e1df4d2

SHA512
52b4c4dbc5c67ea25d9759abfe6e0f6fc1cf18af935f097aa4e932225e50701441b00ef7ac852fe1a585856e80fd13e3ebaa6803f81788d52a0f4644d80f2f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\84594aa2-af65-4497-a3e3-1ef66dc5f25c.vbs

Filesize
729B

MD5
451ee3d591b13c63f2e091f4539b9125

SHA1
fab4325d23c7bf5d4f1d9dba5016d3b4818a119e

SHA256
b06c26a890e08b08e3ef705b2f32cd025938ab8f53d7c74dea4f58bb888e4300

SHA512
7f61dcd6c4614c294d0d8e020a3cdbd0d9734a2297498cec6ac1a760635f8534ce9657cdd4bf5097eb2d6b6cf0166660a5e7aac99f0dfdfa6e966ffb8cc9f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\97988c95-8ebc-47ec-95e5-0d745e10a534.vbs

Filesize
729B

MD5
63217fcc34350d2d27013ad4eca1b9d7

SHA1
b277484442f8cea6b1515c613f3db980168cf89b

SHA256
4d61126b7f7126dcdcb619a40c73d408c43167e1ad2f5054fbd6d4bab1095650

SHA512
690806d167b57317e3e366690d032e8281a48afffa6fef90e6c1d61ac831affebc1048aff54299de511795e3862de6692e74f70f7d39ad5354b17c3849c4ca3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e5b5c81-d485-411f-8d6b-24c782b8f007.vbs

Filesize
729B

MD5
16dace82890262761644019e656c8965

SHA1
ba5f6f795fdee7ae5f8a6835c6b7f61446529836

SHA256
c49af1170d0fbefb7e97eed5452241dc57be19db14637fd6d8c9b99a640ef703

SHA512
83785d395ac8c25c403ce909d28602713fbda859d028a232c1249460ee28cfbef1684a40ebd8a29f67bd9052b0f45c9adcf55fc47906b58b46a1fb78e07b028c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1IAg9p0i7.bat

Filesize
218B

MD5
d45dcee770d261b9f24229e8333347f6

SHA1
82ed7cb457459aabc2e772fc35d5a1e6e2afea8b

SHA256
2d7a46acd22be69b4ef566bffe55c8875fad1463734b975900c0de035c198af1

SHA512
176fba3cdd7dfe0f6cf64078bb320f48ee94eb4d96c178e5b7f09f1a771b10e43c5267c64185f43a5b01679b68f9f93e903b7d69c5f983b5a200036b53e38985

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxdk2zs1.dzy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2614075-508a-461e-aa84-a7fdc0722d28.vbs

Filesize
728B

MD5
b56605cb9b0ca6b7f9d281d727194c64

SHA1
9014e690fd0e2d716974351d745146632ec216da

SHA256
5387a79b9d58a062f561638f645aee46d4a4476eea3d2ec058ce2c24eccc9ea8

SHA512
0079c8bbe2cda029e5f056492533391099fd4a2f11fea6e848a1547af6f3d60bc705eac8a9dc57d4977f9608683871bc4cab9551eeeed0c32790bb48f8635a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0e8068a-a01d-4965-9405-3226877cfd0b.vbs

Filesize
729B

MD5
fdd891879220cdf91b94bc56206aadb5

SHA1
e720f5acf42c3c3ed6b9a6eb646c7df8a2eaedee

SHA256
65f46d69631a1b881b546b157b7c50e6e5237fa2b5956c42c8127899508647ef

SHA512
ce43926914048e0f87fa986be0ec9b66fe7737588646083419cafb04c8e7b1e05c55361508d51e35bb9dbb65a677880288db86d997ad2be1744e00acf42a7a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b14917f8-5a89-4f00-9d6f-541b61c116d5.vbs

Filesize
729B

MD5
1d024d64b6a7ca8aa8de1d482c2b59d5

SHA1
84d51fb78ac05a1d6c7953ad1014ec531b217ac0

SHA256
7dac943ce9eee4a775238ada3ea10aeaeeaeaf3e42147a9c4d017ab412dc5df1

SHA512
94815248e8768a6968e51680643225f66bdf78dce3e9474dbf334b4f4c7fd87fe0f3bc2d3492f7f9449ce42de4dc21748e993bf039850a4c4a3e6f84da4f96c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b48f5083-3c44-4084-8332-50da6837832b.vbs

Filesize
729B

MD5
dd8c2229696bfe04f5a4cdce9818c5b9

SHA1
dbf7d76ed9ee571e88379ddcfde01d63dde9b711

SHA256
eeab997c31828e64d3cbf801b212e2f8c0ef949bc916ae3b18f3f6ca5d701d3f

SHA512
8536ea16f69173c4ad204ab82c6a7b63c62f3d7f21f9f4dc6a1bacc42e571bc76154937f84243dd157261f61753fdd9285f1f9d4b6aa728ce0a704ea2754ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8d30451-cf1f-44db-87ab-b4b9f03fc711.vbs

Filesize
729B

MD5
d658f0eafcf435d4106f2353325e20fc

SHA1
47f891131b0e7b7ae145b2dd401e51aced160dd4

SHA256
b264e95dee7b2f11be575c3dc2a58e6c3bcbff22dbe0aca3b7214652f8c73172

SHA512
c1c140f36f267cb8fc7e047368a96ba53e3195bceec7abf4f4e5937f2f41c33751a5e9195c025e1468c46de1ae9def1112ee38a90736631d922bb224090098d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d64f0579-bb3b-4d21-abe5-ca99c129f268.vbs

Filesize
729B

MD5
7fff01f8d815dd04f154e19bc5e974a7

SHA1
ca5dcc5a677021da3ff038fad314bcb1e87ec538

SHA256
1468c384050fac0ca46e5e88c5d448319eb41cc917b93b939dbc600b2fc32187

SHA512
07fe49a81f511a2ea50736cbe97b329e230846caa0086a7cbd93cdc65ee7b58a8f9bdbc0aba7a2f0573b2568261e4e717820dc1b97770a76d9fb280df3aa5cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe2938e3-1a3b-4ffd-a4c7-3487d2e62e85.vbs

Filesize
729B

MD5
6d8876b6163e114dd8fca0d164f41894

SHA1
822310052d520acfd2b45ca1b498eb084188a421

SHA256
b6445c594e3e5b57c633958286eb372fa433c8c812c404603d9d2da8663798b5

SHA512
11a6c691bd243e62e68c20944652fee0ac0b1c152e250a3c89fdd76e32b1c7689d3e71aa12eb82525d6fc49b75743706f0515497ed083cdd12e372820984fc28

Download Submit
memory/1504-15-0x000000001B540000-0x000000001B548000-memory.dmp

Filesize
32KB

Download
memory/1504-11-0x0000000002AD0000-0x0000000002ADC000-memory.dmp

Filesize
48KB

Download
memory/1504-1-0x0000000000670000-0x0000000000812000-memory.dmp

Filesize
1.6MB

Download
memory/1504-13-0x000000001B520000-0x000000001B52E000-memory.dmp

Filesize
56KB

Download
memory/1504-14-0x000000001B530000-0x000000001B538000-memory.dmp

Filesize
32KB

Download
memory/1504-12-0x0000000002AE0000-0x0000000002AEA000-memory.dmp

Filesize
40KB

Download
memory/1504-10-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

Filesize
48KB

Download
memory/1504-17-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/1504-0-0x00007FFFEE493000-0x00007FFFEE495000-memory.dmp

Filesize
8KB

Download
memory/1504-16-0x000000001B550000-0x000000001B55A000-memory.dmp

Filesize
40KB

Download
memory/1504-9-0x0000000002AB0000-0x0000000002AB8000-memory.dmp

Filesize
32KB

Download
memory/1504-5-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/1504-6-0x0000000002A70000-0x0000000002A86000-memory.dmp

Filesize
88KB

Download
memory/1504-8-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/1504-7-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/1504-4-0x000000001B4D0000-0x000000001B520000-memory.dmp

Filesize
320KB

Download
memory/1504-3-0x0000000002A30000-0x0000000002A4C000-memory.dmp

Filesize
112KB

Download
memory/1504-112-0x00007FFFEE490000-0x00007FFFEEF51000-memory.dmp

Filesize
10.8MB

Download
memory/1504-2-0x00007FFFEE490000-0x00007FFFEEF51000-memory.dmp

Filesize
10.8MB

Download
memory/5376-118-0x0000020D7A430000-0x0000020D7A452000-memory.dmp

Filesize
136KB

Download