dcrat | 189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Size

5.9MB
MD5

89ed231ad61a9e5a7fd0ab9f2bd75b9a
SHA1

9fef3b04fdadf7c3bc756603d55d26c6d77a9f9d
SHA256

403dbebad41f7ff4bc9292290673b4dc3cce92f06d0f710c674f315f6e8caae8
SHA512

50ee7cfba3b046d677c9aaa853ec100ed2b4b24c4c045212c2eada4caed628ea7771fd0a8b47cb03c266a300df34b5f3b9714e68fdec6229067cb9b18db4f5ae
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw41:hyeU11Rvqmu8TWKnF6N/1wk

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 51 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5052	schtasks.exe
		1776	schtasks.exe
		4656	schtasks.exe
		4780	schtasks.exe
		4416	schtasks.exe
		4664	schtasks.exe
		3656	schtasks.exe
		5484	schtasks.exe
		5456	schtasks.exe
		5548	schtasks.exe
		4984	schtasks.exe
		5048	schtasks.exe
		3388	schtasks.exe
		1848	schtasks.exe
		1716	schtasks.exe
		5264	schtasks.exe
		5660	schtasks.exe
		3524	schtasks.exe
		1780	schtasks.exe
		4580	schtasks.exe
		4492	schtasks.exe
File created	C:\Windows\Media\69ddcba757bf72		89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
		1232	schtasks.exe
		2788	schtasks.exe
		2020	schtasks.exe
		5464	schtasks.exe
		2416	schtasks.exe
		1880	schtasks.exe
		4760	schtasks.exe
		916	schtasks.exe
		6048	schtasks.exe
		2200	schtasks.exe
		4712	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
		5108	schtasks.exe
		548	schtasks.exe
		4312	schtasks.exe
		4764	schtasks.exe
		1216	schtasks.exe
		6008	schtasks.exe
		4328	schtasks.exe
		5132	schtasks.exe
		1748	schtasks.exe
		5260	schtasks.exe
		5756	schtasks.exe
		3372	schtasks.exe
		1040	schtasks.exe
File created	C:\Program Files\Internet Explorer\ea9f0e6c9e2dcd		89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
		4692	schtasks.exe
		3352	schtasks.exe
		1244	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4636	schtasks.exe	87

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3104	powershell.exe
1340	powershell.exe
4880	powershell.exe
3428	powershell.exe
4988	powershell.exe
4192	powershell.exe
3580	powershell.exe
2904	powershell.exe
2604	powershell.exe
5072	powershell.exe
5868	powershell.exe
5020	powershell.exe
1760	powershell.exe
808	powershell.exe
4548	powershell.exe
3952	powershell.exe
4348	powershell.exe
3400	powershell.exe
2208	powershell.exe
5944	powershell.exe
5460	powershell.exe
2352	powershell.exe
4468	powershell.exe
4436	powershell.exe
2796	powershell.exe
4084	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 4 IoCs

pid	Process
2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
5008	sppsvc.exe
3448	sppsvc.exe
4464	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
5008	sppsvc.exe
5008	sppsvc.exe
3448	sppsvc.exe
3448	sppsvc.exe
4464	sppsvc.exe
4464	sppsvc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\taskhostw.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Program Files\Internet Explorer\ea9f0e6c9e2dcd	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX6A28.tmp	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX6A38.tmp	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Program Files\Internet Explorer\taskhostw.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\RCX6CBA.tmp	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\Media\RCX6CCB.tmp	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.1.4322\0a1fd5f707cd16	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\bcastdvr\Idle.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\Media\smss.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\bcastdvr\6ccacd8608530f	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\fr-FR\0a1fd5f707cd16	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\7a0fd90576e088	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v1.1.4322\sppsvc.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Media\smss.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\9e8d7a4ca61bd9	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\fr-FR\sppsvc.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.1.4322\sppsvc.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\bcastdvr\Idle.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\fr-FR\sppsvc.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\explorer.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\explorer.exe	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
File created	C:\Windows\Media\69ddcba757bf72	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe
5260	schtasks.exe
2020	schtasks.exe
5756	schtasks.exe
4580	schtasks.exe
3656	schtasks.exe
6008	schtasks.exe
4328	schtasks.exe
1716	schtasks.exe
5660	schtasks.exe
4492	schtasks.exe
2200	schtasks.exe
1776	schtasks.exe
1040	schtasks.exe
5108	schtasks.exe
1848	schtasks.exe
3388	schtasks.exe
2788	schtasks.exe
5052	schtasks.exe
3372	schtasks.exe
5456	schtasks.exe
548	schtasks.exe
5132	schtasks.exe
1244	schtasks.exe
4312	schtasks.exe
5264	schtasks.exe
1780	schtasks.exe
4692	schtasks.exe
4656	schtasks.exe
4780	schtasks.exe
1232	schtasks.exe
2416	schtasks.exe
5484	schtasks.exe
1216	schtasks.exe
5048	schtasks.exe
916	schtasks.exe
4760	schtasks.exe
1880	schtasks.exe
4664	schtasks.exe
4416	schtasks.exe
3352	schtasks.exe
6048	schtasks.exe
5548	schtasks.exe
3524	schtasks.exe
5464	schtasks.exe
4764	schtasks.exe
4712	schtasks.exe
4984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
4084	powershell.exe
4084	powershell.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
4880	powershell.exe
4880	powershell.exe
4988	powershell.exe
4988	powershell.exe
2904	powershell.exe
3580	powershell.exe
3580	powershell.exe
2904	powershell.exe
2604	powershell.exe
2604	powershell.exe
5072	powershell.exe
5072	powershell.exe
1340	powershell.exe
1340	powershell.exe
808	powershell.exe
808	powershell.exe
3104	powershell.exe
3104	powershell.exe
2208	powershell.exe
2208	powershell.exe
5868	powershell.exe
5868	powershell.exe
3428	powershell.exe
3428	powershell.exe
2904	powershell.exe
3428	powershell.exe
4988	powershell.exe
4880	powershell.exe
2604	powershell.exe
4084	powershell.exe
4084	powershell.exe
3580	powershell.exe
5072	powershell.exe
3104	powershell.exe
808	powershell.exe
1340	powershell.exe
2208	powershell.exe
5868	powershell.exe
2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	5008	sppsvc.exe
Token: SeDebugPrivilege	3448	sppsvc.exe
Token: SeDebugPrivilege	4464	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3580	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	100
PID 3108 wrote to memory of 3580	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	100
PID 3108 wrote to memory of 4084	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	101
PID 3108 wrote to memory of 4084	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	101
PID 3108 wrote to memory of 2904	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	102
PID 3108 wrote to memory of 2904	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	102
PID 3108 wrote to memory of 3104	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	103
PID 3108 wrote to memory of 3104	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	103
PID 3108 wrote to memory of 2208	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	104
PID 3108 wrote to memory of 2208	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	104
PID 3108 wrote to memory of 5072	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	105
PID 3108 wrote to memory of 5072	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	105
PID 3108 wrote to memory of 4880	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	108
PID 3108 wrote to memory of 4880	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	108
PID 3108 wrote to memory of 1340	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	110
PID 3108 wrote to memory of 1340	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	110
PID 3108 wrote to memory of 2604	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	111
PID 3108 wrote to memory of 2604	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	111
PID 3108 wrote to memory of 808	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	113
PID 3108 wrote to memory of 808	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	113
PID 3108 wrote to memory of 3428	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	114
PID 3108 wrote to memory of 3428	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	114
PID 3108 wrote to memory of 5868	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	115
PID 3108 wrote to memory of 5868	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	115
PID 3108 wrote to memory of 4988	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	116
PID 3108 wrote to memory of 4988	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	116
PID 3108 wrote to memory of 2636	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	126
PID 3108 wrote to memory of 2636	3108	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	126
PID 2636 wrote to memory of 4264	2636	cmd.exe	128
PID 2636 wrote to memory of 4264	2636	cmd.exe	128
PID 2636 wrote to memory of 2148	2636	cmd.exe	129
PID 2636 wrote to memory of 2148	2636	cmd.exe	129
PID 2148 wrote to memory of 5944	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	166
PID 2148 wrote to memory of 5944	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	166
PID 2148 wrote to memory of 3952	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	167
PID 2148 wrote to memory of 3952	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	167
PID 2148 wrote to memory of 4548	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	168
PID 2148 wrote to memory of 4548	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	168
PID 2148 wrote to memory of 5460	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	169
PID 2148 wrote to memory of 5460	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	169
PID 2148 wrote to memory of 5020	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	171
PID 2148 wrote to memory of 5020	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	171
PID 2148 wrote to memory of 2352	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	172
PID 2148 wrote to memory of 2352	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	172
PID 2148 wrote to memory of 4468	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	173
PID 2148 wrote to memory of 4468	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	173
PID 2148 wrote to memory of 1760	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	174
PID 2148 wrote to memory of 1760	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	174
PID 2148 wrote to memory of 4192	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	175
PID 2148 wrote to memory of 4192	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	175
PID 2148 wrote to memory of 3400	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	176
PID 2148 wrote to memory of 3400	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	176
PID 2148 wrote to memory of 4348	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	178
PID 2148 wrote to memory of 4348	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	178
PID 2148 wrote to memory of 2796	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	179
PID 2148 wrote to memory of 2796	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	179
PID 2148 wrote to memory of 4436	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	181
PID 2148 wrote to memory of 4436	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	181
PID 2148 wrote to memory of 5380	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	192
PID 2148 wrote to memory of 5380	2148	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe	192
PID 5380 wrote to memory of 5116	5380	cmd.exe	194
PID 5380 wrote to memory of 5116	5380	cmd.exe	194
PID 5380 wrote to memory of 5008	5380	cmd.exe	198
PID 5380 wrote to memory of 5008	5380	cmd.exe	198

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
"C:\Users\Admin\AppData\Local\Temp\89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe"
1⤵
- DcRat
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/aff403968f1bfcc42131676322798b50/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f9532e701a889cdd91b8/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owVEGEG8J4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
    "C:\Users\Admin\AppData\Local\Temp\89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/aff403968f1bfcc42131676322798b50/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f9532e701a889cdd91b8/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVO2yVWNDR.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5380
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5116
    - - C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5008
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08dd59bb-7339-4d88-b819-0c77cee9cb53.vbs"
        6⤵
        
        PID:1420
        
        C:\Windows\fr-FR\sppsvc.exe
        
        C:\Windows\fr-FR\sppsvc.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c22bcd38-f7e3-4561-bd25-a7c4463d4e39.vbs"
        8⤵
        
        PID:4308
        
        C:\Windows\fr-FR\sppsvc.exe
        
        C:\Windows\fr-FR\sppsvc.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ab6146d-c9e0-49ad-9f45-1e8d2a73b5d1.vbs"
        10⤵
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b38642d-2397-4f7f-8fa9-4e67f9478b72.vbs"
        10⤵
        
        PID:5688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4fae4a5-defa-4b21-a389-46aa32870a7e.vbs"
        8⤵
        
        PID:5752
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcdf17ce-ae89-494d-b1e1-ae12afb96917.vbs"
        6⤵
        
        PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework\v1.1.4322\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v1.1.4322\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\Framework\v1.1.4322\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\bcastdvr\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\USOShared\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\fr-FR\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\Registry.exe

Filesize
5.9MB

MD5
a26b5a659bdebac28793ef83006967fd

SHA1
46134fa44afc67d19e191d537219b5c8da11d196

SHA256
05ef3bd4f52767e9b96974b7f25110cf1b121b32fe56e4d44436589a4c0331c7

SHA512
0688cdf5a20fbe1b28a45c73df8527d3318e9141356e1b001a53f8755f21894ea7dac5124294777a6686fc56f54b56439beaef0ae0b4dc53f0050238cc2b3ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe.log

Filesize
1KB

MD5
612072f28dae34eb75a144057666a2ba

SHA1
3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

SHA256
ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

SHA512
b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea2f44a25582e20c2e1d21c73bbd4fa1

SHA1
d63ef1804bad1a542aeb3cf5111cd86a9111d7a1

SHA256
43ec39d124ebadf53f254b9aef5f1d2f73526a681682d0409af5e34beb8737d8

SHA512
49ed57cd127b56793cf2bc1dfae0ccb45d3a9eaaf9475ea7ec65b4d6782c0b846b832bedfa19e65c4b54d7a7b19dfd177bfcb3e0fadad8640c4bb6515ee2c835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1ec688da6aecc29adad317a53f0b27

SHA1
87e0b65d6be79be0cd0bc2d99f8e0e8a169406c6

SHA256
5878989a12563098e507af48834e0c0e92adfa760379baf9e8b46b9c53fa182d

SHA512
362fbd2dc7185482a1f319bbb50a7416c5feeb2ce7fac0c7cdd1690567704f3698ef41238721421039e2c570a3dc2998325b4be60dec79c0ed2d00608387c503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
354ebb8d437ee057dacfef36baced4e9

SHA1
30460dbe64847ebb524d7d1fd5b9bf8a851a7626

SHA256
bcf3ba98af6ee96a3eba9bbc6bdb2ae36b883f5f1e9cdad2974cbbcb9c102237

SHA512
1f2cb272ad33df6e34949ac4d60ec0702316d9e21992be52cd9c6abd846472e7c868a8e96b5922b016e7952e460671e5768d007e28d84940a1b956eef4705b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1e3c555747900d8c9652a014303474aa

SHA1
1b2057ff00b20996fe74977d7e336be9d4625283

SHA256
6a419c7390f12be16e2d1e752539a2a429f41e35ce0381bee1d824571769e2f1

SHA512
067ea6a394f54acfc44d64fdf11463a74cb5d6bba3fe253e7625455754c528bd678fd1c679e949e928b7fc11b563c256b0b0e33474f7c58eb0735d7aacd3232d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1099dc40baabde4be41cc1faf6353f7d

SHA1
345705c6b9adc64389b6d142e7484d0cdd4f2bd0

SHA256
6cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40

SHA512
6315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be95052f298019b83e11336567f385fc

SHA1
556e6abda268afaeeec5e1ee65adc01660b70534

SHA256
ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

SHA512
233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdf0f0bc4de32a6f32ecb8a32ba5df1

SHA1
900c6a905984e5e16f3efe01ce2b2cc725fc64f1

SHA256
c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

SHA512
680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
705e397ba2c670b0b9fcebdd31e0feea

SHA1
8566fe7e0903b7495e659ba0588b72e3ce538c3b

SHA256
ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

SHA512
a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d7e01f2da5faf06203d0bdcf32f2aee

SHA1
972128bc0896422301531607773f6af989535547

SHA256
57df11f5726f22f6b65380a63c6ddeeced49bd543781cf05428932500c6e2cef

SHA512
2d446d1ed39875581a11fc433c9fd13c7b5ad4133c50f93cfc18e355339c1dd8937058864250c9e3d659049f4feb8cf8e1ce3fd90716eb5c9b8cd309b9ccc16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
436B

MD5
2c7746e4f444bf1675c8d36f67bf906a

SHA1
0e2327a89331720d0a0e37467530ea4aa624720e

SHA256
02c100ca0d3dee5197fcf432c48b2002978f7f0980f0b441144b6d1a0982ca95

SHA512
fc351494452aa86b8247520c944791014d11da6df2abcc9e217c83c0641fbb4319438380fe0033596b614688d05f46fb142c599ab4f9fafc6e69bf2b410f6457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ad148cc543edfb880854c755c2ad2081

SHA1
b81e48b6803d15a7a33d80f445fd61c5162a2d35

SHA256
a316471edb159f94a596f031c2a45818dae3936034e8474d238455e26a351e23

SHA512
9f6066e011637150355b8debfd24b65e0bd7ba1bc1133d4850bd490a8d99b52c38b00baf20674f16bb4998c9287c3b15362e143dbe27698f524302c7a5d350a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\08dd59bb-7339-4d88-b819-0c77cee9cb53.vbs

Filesize
703B

MD5
f8f96bc6de1737a59019e4f217d91857

SHA1
0b7f5620ad358fca82c7522fde0813c075c24e78

SHA256
33a57279f94078b975ee1b000b4e1bf7a4faed77cb471687aa80f6a57c2ad548

SHA512
6e14f728fd8ae4557116b90b2c380037e2287a4279e63d3bcebd2617a2ba0813fa486ca7575a9cb60cda852e96ac2dc237d2b3cb37069cf49be4f29f3c54acb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ab6146d-c9e0-49ad-9f45-1e8d2a73b5d1.vbs

Filesize
703B

MD5
8c37c25eac6be829ad0d6f77f340afdd

SHA1
b410c5f54bf3057d73bcb245d9d0e458d31d402f

SHA256
6a5e1681f8595b2cf1f89231515f40b04bb7a0f32e6e6fafd17c27da15a11092

SHA512
8af9a11b0a4712783f343299a6a418e375bd70a2e024b29b5bf6f3ceceba04f9b5eae8437f401365872c4d80bb24e3e93d0f50cc9ad1526a0558ffee59b236a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVO2yVWNDR.bat

Filesize
192B

MD5
e678c6ceeb5c75703edc88fc634ee239

SHA1
775250405da51d9609d66949c9eb7eaa7a2be21d

SHA256
15fee2e57bbae404f5da91154be8cfc037cbd835e31adb01c1bafbc20ef7dea0

SHA512
ee8012433cea304d51c8e78ce6445bf67c780e1ddb424b1a48de725251366b80c51e80a74e446ce1e4c589000485d5601e4708157e832016323d15ad3e532629

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX6562.tmp

Filesize
5.9MB

MD5
89ed231ad61a9e5a7fd0ab9f2bd75b9a

SHA1
9fef3b04fdadf7c3bc756603d55d26c6d77a9f9d

SHA256
403dbebad41f7ff4bc9292290673b4dc3cce92f06d0f710c674f315f6e8caae8

SHA512
50ee7cfba3b046d677c9aaa853ec100ed2b4b24c4c045212c2eada4caed628ea7771fd0a8b47cb03c266a300df34b5f3b9714e68fdec6229067cb9b18db4f5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duwgmotk.2oc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c22bcd38-f7e3-4561-bd25-a7c4463d4e39.vbs

Filesize
703B

MD5
22a134b3aed653415819dbd8d76ca5f1

SHA1
71eb06428b68521da4cf031ba5a3c6353e01d1e5

SHA256
2c502b0cd366db1203243f5189ecd6f4dacf43cebebaef9707b8bf7c94c4c581

SHA512
447da5e77106ca0ecc67a27b088aa30300cb645a1dea6ca0858a4c0b5b0dd56ac6464feb8ab588a0c91b232bea6701ac1bf5c6b6817e4d476bfb59e5e82ae666

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcdf17ce-ae89-494d-b1e1-ae12afb96917.vbs

Filesize
479B

MD5
0dce77bf3edc1a9eff714153437e4270

SHA1
882260255b4c9078ce4fa4fa51ea04fdd474fe63

SHA256
ebccaa3f0906eab14a364d427ccadba06be98ef60574f06613962d27928e87ff

SHA512
943b10010e9abc869037a7bbf86a49f0cd517fb2c5c81df93ec92df3db964df313ca7a1ba226077eaf03207d7e9e0cf987e9b5ab35cd838a36a6394f3b762f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\owVEGEG8J4.bat

Filesize
235B

MD5
5a44dae311e74aab7d0379ae321241b6

SHA1
96ec2520862a4d900f9d601303633cdd624bd2e3

SHA256
01c0bca4e38b7d1a9860c1b70e558df188a8aced94871c86b1007ac863a5e063

SHA512
ccf212acf68aa2076afe972299270f9c377b58b94e4f02277de67eef69de29921ba4e721b10c923a091bef969f2136ae1b5dbcd62bb175e871dba2f9d7c19160

Download Submit
C:\aff403968f1bfcc42131676322798b50\9e8d7a4ca61bd9

Filesize
453B

MD5
6ed304eab6f6ecc1a36343d45143660d

SHA1
3df93f92682b019fc1fe7311c33b5d54db510ff3

SHA256
cc1dacda58863e3fa14fe76f19f66c5d829f500b400ff93f91b10a0b117ff289

SHA512
62c423fec34337ac1daf564cdc1ee4945b4abadf9f8af10b1ff7f45063c229c8622c89daac8b693b30f9252244b0393acef2831e1d84c406aff837236b9cea7f

Download Submit
memory/3108-17-0x000000001CDA0000-0x000000001CDAA000-memory.dmp

Filesize
40KB

Download
memory/3108-22-0x000000001CE20000-0x000000001CE28000-memory.dmp

Filesize
32KB

Download
memory/3108-30-0x000000001CEA0000-0x000000001CEAC000-memory.dmp

Filesize
48KB

Download
memory/3108-31-0x000000001D130000-0x000000001D138000-memory.dmp

Filesize
32KB

Download
memory/3108-32-0x000000001D140000-0x000000001D14C000-memory.dmp

Filesize
48KB

Download
memory/3108-33-0x000000001CEB0000-0x000000001CEBA000-memory.dmp

Filesize
40KB

Download
memory/3108-35-0x000000001CED0000-0x000000001CED8000-memory.dmp

Filesize
32KB

Download
memory/3108-34-0x000000001CEC0000-0x000000001CECE000-memory.dmp

Filesize
56KB

Download
memory/3108-36-0x000000001CEE0000-0x000000001CEEE000-memory.dmp

Filesize
56KB

Download
memory/3108-37-0x000000001CEF0000-0x000000001CEF8000-memory.dmp

Filesize
32KB

Download
memory/3108-38-0x000000001CF00000-0x000000001CF0C000-memory.dmp

Filesize
48KB

Download
memory/3108-39-0x000000001CF10000-0x000000001CF18000-memory.dmp

Filesize
32KB

Download
memory/3108-40-0x000000001D250000-0x000000001D25A000-memory.dmp

Filesize
40KB

Download
memory/3108-41-0x000000001D150000-0x000000001D15C000-memory.dmp

Filesize
48KB

Download
memory/3108-28-0x000000001CE80000-0x000000001CE88000-memory.dmp

Filesize
32KB

Download
memory/3108-27-0x000000001CE70000-0x000000001CE7C000-memory.dmp

Filesize
48KB

Download
memory/3108-1-0x0000000000DE0000-0x00000000016D8000-memory.dmp

Filesize
9.0MB

Download
memory/3108-26-0x000000001CE60000-0x000000001CE6C000-memory.dmp

Filesize
48KB

Download
memory/3108-144-0x00007FF98C4C0000-0x00007FF98CF81000-memory.dmp

Filesize
10.8MB

Download
memory/3108-25-0x000000001D460000-0x000000001D988000-memory.dmp

Filesize
5.2MB

Download
memory/3108-24-0x000000001CE30000-0x000000001CE42000-memory.dmp

Filesize
72KB

Download
memory/3108-29-0x000000001CE90000-0x000000001CE9C000-memory.dmp

Filesize
48KB

Download
memory/3108-21-0x000000001CF20000-0x000000001CF2C000-memory.dmp

Filesize
48KB

Download
memory/3108-20-0x000000001CE10000-0x000000001CE18000-memory.dmp

Filesize
32KB

Download
memory/3108-19-0x000000001CE00000-0x000000001CE0C000-memory.dmp

Filesize
48KB

Download
memory/3108-18-0x000000001CDB0000-0x000000001CE06000-memory.dmp

Filesize
344KB

Download
memory/3108-0-0x00007FF98C4C3000-0x00007FF98C4C5000-memory.dmp

Filesize
8KB

Download
memory/3108-16-0x000000001C4B0000-0x000000001C4C0000-memory.dmp

Filesize
64KB

Download
memory/3108-15-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

Filesize
32KB

Download
memory/3108-14-0x000000001CD90000-0x000000001CD9C000-memory.dmp

Filesize
48KB

Download
memory/3108-13-0x000000001C490000-0x000000001C4A2000-memory.dmp

Filesize
72KB

Download
memory/3108-11-0x000000001C460000-0x000000001C476000-memory.dmp

Filesize
88KB

Download
memory/3108-12-0x000000001C480000-0x000000001C488000-memory.dmp

Filesize
32KB

Download
memory/3108-10-0x000000001C450000-0x000000001C460000-memory.dmp

Filesize
64KB

Download
memory/3108-8-0x000000001CC40000-0x000000001CC90000-memory.dmp

Filesize
320KB

Download
memory/3108-9-0x000000001C440000-0x000000001C448000-memory.dmp

Filesize
32KB

Download
memory/3108-7-0x000000001C210000-0x000000001C22C000-memory.dmp

Filesize
112KB

Download
memory/3108-6-0x000000001C200000-0x000000001C208000-memory.dmp

Filesize
32KB

Download
memory/3108-5-0x000000001C1F0000-0x000000001C1FE000-memory.dmp

Filesize
56KB

Download
memory/3108-4-0x000000001C1E0000-0x000000001C1EE000-memory.dmp

Filesize
56KB

Download
memory/3108-3-0x00007FF98C4C0000-0x00007FF98CF81000-memory.dmp

Filesize
10.8MB

Download
memory/3108-2-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4464-480-0x000000001BE70000-0x000000001BE82000-memory.dmp

Filesize
72KB

Download
memory/4880-106-0x0000018453EF0000-0x0000018453F12000-memory.dmp

Filesize
136KB

Download