dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ff89c7cdaac70515ac184accbd4c9f.exe
Size

1.6MB
MD5

72ff89c7cdaac70515ac184accbd4c9f
SHA1

e6306a7c6d40ae9036ced594b938a12f8ab57b1c
SHA256

5db5b45d3fbb3a20e8fb589356e8c5ad9cfe79cbe2f9ba46a3d5c1d312f72504
SHA512

aacbc1a9ea04889d3d1552ccf9d4634eb0baaf57715dfc7686922058a485eedd868c0578cf8b438187cf8b3b2ebf3d32dcd963ef77ec1de278231ab19f584be4
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1508	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1508	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/2016-1-0x0000000000FA0000-0x0000000001142000-memory.dmp	dcrat
behavioral12/files/0x0007000000024083-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1108	powershell.exe
1828	powershell.exe
2812	powershell.exe
2064	powershell.exe
1468	powershell.exe
3068	powershell.exe
4872	powershell.exe
4860	powershell.exe
3568	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	72ff89c7cdaac70515ac184accbd4c9f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 13 IoCs

pid	Process
4964	backgroundTaskHost.exe
4332	backgroundTaskHost.exe
1752	backgroundTaskHost.exe
3868	backgroundTaskHost.exe
4152	backgroundTaskHost.exe
4272	backgroundTaskHost.exe
3908	backgroundTaskHost.exe
3552	backgroundTaskHost.exe
396	backgroundTaskHost.exe
2880	backgroundTaskHost.exe
3904	backgroundTaskHost.exe
3388	backgroundTaskHost.exe
3476	backgroundTaskHost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files\MsEdgeCrashpad\eddb19405b7ce1	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\RCX90E2.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\RCX90E3.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe	72ff89c7cdaac70515ac184accbd4c9f.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\RuntimeBroker.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\Logs\CBS\9e8d7a4ca61bd9	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\uk-UA\sihost.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\uk-UA\66fc9ff0ee96c2	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Logs\CBS\RCX87A4.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Logs\CBS\RuntimeBroker.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\uk-UA\RCX8C2B.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Logs\CBS\RCX87A3.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\uk-UA\RCX8C2C.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\uk-UA\sihost.exe	72ff89c7cdaac70515ac184accbd4c9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	72ff89c7cdaac70515ac184accbd4c9f.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
3908	schtasks.exe
4784	schtasks.exe
3304	schtasks.exe
1640	schtasks.exe
3664	schtasks.exe
796	schtasks.exe
2408	schtasks.exe
4432	schtasks.exe
3124	schtasks.exe
3132	schtasks.exe
3660	schtasks.exe
3096	schtasks.exe
1072	schtasks.exe
780	schtasks.exe
3500	schtasks.exe
1712	schtasks.exe
5032	schtasks.exe
1328	schtasks.exe
3592	schtasks.exe
4920	schtasks.exe
3996	schtasks.exe
4660	schtasks.exe
4284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2016	72ff89c7cdaac70515ac184accbd4c9f.exe
2016	72ff89c7cdaac70515ac184accbd4c9f.exe
2016	72ff89c7cdaac70515ac184accbd4c9f.exe
2016	72ff89c7cdaac70515ac184accbd4c9f.exe
2016	72ff89c7cdaac70515ac184accbd4c9f.exe
1108	powershell.exe
1108	powershell.exe
1468	powershell.exe
1468	powershell.exe
4872	powershell.exe
4872	powershell.exe
3068	powershell.exe
3068	powershell.exe
3568	powershell.exe
3568	powershell.exe
2064	powershell.exe
2064	powershell.exe
1828	powershell.exe
1828	powershell.exe
4860	powershell.exe
4860	powershell.exe
2812	powershell.exe
2812	powershell.exe
4860	powershell.exe
2812	powershell.exe
1108	powershell.exe
3068	powershell.exe
1468	powershell.exe
4872	powershell.exe
3568	powershell.exe
1828	powershell.exe
2064	powershell.exe
4964	backgroundTaskHost.exe
4332	backgroundTaskHost.exe
1752	backgroundTaskHost.exe
3868	backgroundTaskHost.exe
3868	backgroundTaskHost.exe
4152	backgroundTaskHost.exe
4152	backgroundTaskHost.exe
4272	backgroundTaskHost.exe
4272	backgroundTaskHost.exe
3908	backgroundTaskHost.exe
3552	backgroundTaskHost.exe
396	backgroundTaskHost.exe
2880	backgroundTaskHost.exe
3904	backgroundTaskHost.exe
3388	backgroundTaskHost.exe
3476	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	72ff89c7cdaac70515ac184accbd4c9f.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	4964	backgroundTaskHost.exe
Token: SeDebugPrivilege	4332	backgroundTaskHost.exe
Token: SeDebugPrivilege	1752	backgroundTaskHost.exe
Token: SeDebugPrivilege	3868	backgroundTaskHost.exe
Token: SeDebugPrivilege	4152	backgroundTaskHost.exe
Token: SeDebugPrivilege	4272	backgroundTaskHost.exe
Token: SeDebugPrivilege	3908	backgroundTaskHost.exe
Token: SeDebugPrivilege	3552	backgroundTaskHost.exe
Token: SeDebugPrivilege	396	backgroundTaskHost.exe
Token: SeDebugPrivilege	2880	backgroundTaskHost.exe
Token: SeDebugPrivilege	3904	backgroundTaskHost.exe
Token: SeDebugPrivilege	3388	backgroundTaskHost.exe
Token: SeDebugPrivilege	3476	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4860	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	117
PID 2016 wrote to memory of 4860	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	117
PID 2016 wrote to memory of 1468	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	118
PID 2016 wrote to memory of 1468	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	118
PID 2016 wrote to memory of 3568	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	119
PID 2016 wrote to memory of 3568	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	119
PID 2016 wrote to memory of 1108	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	120
PID 2016 wrote to memory of 1108	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	120
PID 2016 wrote to memory of 3068	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	121
PID 2016 wrote to memory of 3068	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	121
PID 2016 wrote to memory of 1828	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	122
PID 2016 wrote to memory of 1828	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	122
PID 2016 wrote to memory of 2812	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	123
PID 2016 wrote to memory of 2812	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	123
PID 2016 wrote to memory of 4872	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	124
PID 2016 wrote to memory of 4872	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	124
PID 2016 wrote to memory of 2064	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	125
PID 2016 wrote to memory of 2064	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	125
PID 2016 wrote to memory of 1536	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	135
PID 2016 wrote to memory of 1536	2016	72ff89c7cdaac70515ac184accbd4c9f.exe	135
PID 1536 wrote to memory of 2760	1536	cmd.exe	137
PID 1536 wrote to memory of 2760	1536	cmd.exe	137
PID 1536 wrote to memory of 4964	1536	cmd.exe	140
PID 1536 wrote to memory of 4964	1536	cmd.exe	140
PID 4964 wrote to memory of 3576	4964	backgroundTaskHost.exe	142
PID 4964 wrote to memory of 3576	4964	backgroundTaskHost.exe	142
PID 4964 wrote to memory of 2980	4964	backgroundTaskHost.exe	143
PID 4964 wrote to memory of 2980	4964	backgroundTaskHost.exe	143
PID 3576 wrote to memory of 4332	3576	WScript.exe	144
PID 3576 wrote to memory of 4332	3576	WScript.exe	144
PID 4332 wrote to memory of 3516	4332	backgroundTaskHost.exe	145
PID 4332 wrote to memory of 3516	4332	backgroundTaskHost.exe	145
PID 4332 wrote to memory of 1884	4332	backgroundTaskHost.exe	146
PID 4332 wrote to memory of 1884	4332	backgroundTaskHost.exe	146
PID 3516 wrote to memory of 1752	3516	WScript.exe	148
PID 3516 wrote to memory of 1752	3516	WScript.exe	148
PID 1752 wrote to memory of 4008	1752	backgroundTaskHost.exe	149
PID 1752 wrote to memory of 4008	1752	backgroundTaskHost.exe	149
PID 1752 wrote to memory of 2540	1752	backgroundTaskHost.exe	150
PID 1752 wrote to memory of 2540	1752	backgroundTaskHost.exe	150
PID 4008 wrote to memory of 3868	4008	WScript.exe	155
PID 4008 wrote to memory of 3868	4008	WScript.exe	155
PID 3868 wrote to memory of 4088	3868	backgroundTaskHost.exe	156
PID 3868 wrote to memory of 4088	3868	backgroundTaskHost.exe	156
PID 3868 wrote to memory of 1108	3868	backgroundTaskHost.exe	157
PID 3868 wrote to memory of 1108	3868	backgroundTaskHost.exe	157
PID 4088 wrote to memory of 4152	4088	WScript.exe	158
PID 4088 wrote to memory of 4152	4088	WScript.exe	158
PID 4152 wrote to memory of 4388	4152	backgroundTaskHost.exe	159
PID 4152 wrote to memory of 4388	4152	backgroundTaskHost.exe	159
PID 4152 wrote to memory of 1328	4152	backgroundTaskHost.exe	160
PID 4152 wrote to memory of 1328	4152	backgroundTaskHost.exe	160
PID 4388 wrote to memory of 4272	4388	WScript.exe	161
PID 4388 wrote to memory of 4272	4388	WScript.exe	161
PID 4272 wrote to memory of 2664	4272	backgroundTaskHost.exe	162
PID 4272 wrote to memory of 2664	4272	backgroundTaskHost.exe	162
PID 4272 wrote to memory of 2632	4272	backgroundTaskHost.exe	163
PID 4272 wrote to memory of 2632	4272	backgroundTaskHost.exe	163
PID 2664 wrote to memory of 3908	2664	WScript.exe	167
PID 2664 wrote to memory of 3908	2664	WScript.exe	167
PID 3908 wrote to memory of 4320	3908	backgroundTaskHost.exe	168
PID 3908 wrote to memory of 4320	3908	backgroundTaskHost.exe	168
PID 3908 wrote to memory of 4572	3908	backgroundTaskHost.exe	169
PID 3908 wrote to memory of 4572	3908	backgroundTaskHost.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe
"C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6jdsJyxgUl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2760
- - C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
    "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce75ac20-3ca1-4108-a461-b4db6850ea13.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dae5e7-bdfe-4861-8726-8822d20877f3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955e32b5-18b3-4e4a-a917-efc864a20fc9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\876d0c47-caaf-4e8e-91e9-431393fab869.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3e02363-ec7f-405f-8b4d-58411d379923.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dded549c-4853-4e4b-8fd1-fa6c399f14a7.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c09e32-58f0-4cd4-ad4e-0c621e6f0e33.vbs"
        16⤵
        
        PID:4320
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87fce8ad-d4f4-4506-96bd-8c25e35239c0.vbs"
        18⤵
        
        PID:4156
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57328a5-9095-4fc0-ade9-d73020d3943f.vbs"
        20⤵
        
        PID:1628
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\befd17de-5d89-4063-8895-922d04078b3f.vbs"
        22⤵
        
        PID:2988
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185639e7-da67-405e-b732-ba310b85f678.vbs"
        24⤵
        
        PID:2972
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbfdf802-f036-415e-a0d5-9804d5bf198a.vbs"
        26⤵
        
        PID:2904
        
        C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe
        
        "C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6114d0-5078-4c52-9ac7-daa3999ec98e.vbs"
        28⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a990dac3-4ee2-450f-a73d-977351d06638.vbs"
        28⤵
        
        PID:5072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53095393-44bd-4088-9a38-de7f2d5fadb5.vbs"
        26⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df809391-fa4c-4aff-a324-3bbf4aedf48d.vbs"
        24⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c81666-297b-4940-9654-4413dd71b79a.vbs"
        22⤵
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26ff53f-3dac-40bc-8d9d-26fc3b6661ad.vbs"
        20⤵
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88022405-d011-44c7-ae3b-21ffd9d30db1.vbs"
        18⤵
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d54e280-f61e-4777-a9f1-58df458c6999.vbs"
        16⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee246f17-13eb-4c12-a5c4-feaca1c372ec.vbs"
        14⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0322e1ac-615a-4fa9-899c-ea929f31f3c3.vbs"
        12⤵
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476730d5-6b1e-4415-be53-e2c9427dea82.vbs"
        10⤵
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aaa2af3-0a54-40ae-87d3-460dc7f5b105.vbs"
        8⤵
        
        PID:2540
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea841fed-b417-44b5-931e-546a9a0b80ce.vbs"
        6⤵
        
        PID:1884
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e3744c8-ddc9-4463-91dd-0770120abe33.vbs"
      4⤵
      PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\CBS\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
72ff89c7cdaac70515ac184accbd4c9f

SHA1
e6306a7c6d40ae9036ced594b938a12f8ab57b1c

SHA256
5db5b45d3fbb3a20e8fb589356e8c5ad9cfe79cbe2f9ba46a3d5c1d312f72504

SHA512
aacbc1a9ea04889d3d1552ccf9d4634eb0baaf57715dfc7686922058a485eedd868c0578cf8b438187cf8b3b2ebf3d32dcd963ef77ec1de278231ab19f584be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd1e1eb6a048e036091c96bdc35a80f2

SHA1
647970199ff6cf12e9d62f5d42030b50ec2fd319

SHA256
f2a37d987731acdcd4887580e12dc5adef0f76c2f8566b071124973ccc49a5fa

SHA512
17571b418a955ac9349b99b03a11560f35a05633cb6146b4ac2b6854e72a215b8cbae9528e1634ac3fafc96f25bffc81c84719305b53cf6e01a97e6669cc05f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
990f2ad22e4ee8bb16d0e84568ff1c04

SHA1
8ee103c2c4969dd252d3f136479e718361e2ace2

SHA256
9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578

SHA512
ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
764B

MD5
0d100aa38a31926e2bc3474c57a57dde

SHA1
f347aebbdcda4cc322c582b7ee7d9ddc84ab52d5

SHA256
065ef9661e993e92ef33dcdd069c2d126d0cd74b0f30f2fda906633562fd560a

SHA512
35f89d91985ffa80e2bd3443032c3360bc90be1499d7051ea4af7e0deb4638e5cac43741c54992a19c40a754d547e111ce9e370e1546d37938d3ab7e22017363

Download Submit
C:\Users\Admin\AppData\Local\Temp\185639e7-da67-405e-b732-ba310b85f678.vbs

Filesize
730B

MD5
58bffe2b07fda538dcf7559116a5fd78

SHA1
ee05e020be537dcc9310c8dec03472953b8157a1

SHA256
cfa730fd9c9da303bbb7d6a6c4e3ed67750136c3cabfaee76bc4295c775183e0

SHA512
0c188a6e4b85169bb0a6db11334628cf8075f19f7a71f712c516c23b8bea41ddd7a17badec7180c8bf6238f54713f9a6c9467b803b87138ca119446913540085

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a6114d0-5078-4c52-9ac7-daa3999ec98e.vbs

Filesize
730B

MD5
74194dc2541f9c22b66f645e335c23bb

SHA1
858a6a6c1a42e8e962c9f9b926e690ae5ba6bffc

SHA256
b0949a3501e85f1e886b8b98b9cbdc9099ffac75ff55c7107966b7809361a186

SHA512
bf4a0f306cc639f1c246631666583864da8edbdd3e1520f7a74256e5c13b7a1237770aa0a52284c0648892f4dcad785e30b56608807b5e79936fb9c7146d1ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c09e32-58f0-4cd4-ad4e-0c621e6f0e33.vbs

Filesize
730B

MD5
2034dcaa09ff23f120a5b0e611d1638c

SHA1
4e65e82184530765e2fb89ffeffc27be9d90e737

SHA256
9bbfceec3c2ab4c541cfa4f5da6205c1d1417f3b2c2a513c61770a64ba0ac4d6

SHA512
4be41769d5cf626ada66474f9173a853fbc797b724416830f600f1c6986af2e85f1f06c504df3c47acd407dd6e793c4f87ed7f9cdf0a179275632318f7e3070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jdsJyxgUl.bat

Filesize
219B

MD5
ca75e5d7ce1f0c5d95fd012c8daa25d0

SHA1
f7d0e528750e87753c271ae629a7134cc660fef0

SHA256
4136d5098ea82c2a2a7ff0d5f4976df10fa3d5cbba6cdafbe54061793b8464c1

SHA512
dd04e323ce12a0630b81eb1a0aee8021a11cfadaf7c5c83d7c4490e73a327af0f2b266fb04f4323f08e25d1c54851961e6f970f164ec46cd5f205b9e87e5ccf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\876d0c47-caaf-4e8e-91e9-431393fab869.vbs

Filesize
730B

MD5
31753859b880aee3c55bef93fc447ea6

SHA1
099477e3f07541f014889ad22205f29d001c899a

SHA256
31c847c0d9448c863646df1edab1833f8b18cf635780da6f03aeacc516659082

SHA512
04123508afe9a15f0b8883eede0f9aac51dea7affdcadf3b958281789274ceb40444aff3ee3ce5461bbde81da172d80df2828aa9e61634d9b5ce56840147003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\87fce8ad-d4f4-4506-96bd-8c25e35239c0.vbs

Filesize
730B

MD5
ec9976ad6c34a710b7e2ff45c3948ac4

SHA1
e36cb5bb49f7b30cbf7b5673c309a7d0f163dc6f

SHA256
6bdfb4bbbf850fca0fb16dde5f8a9844001c95631160bc1e7b230eba77bd67b1

SHA512
42472f9cdb0942c508e5381c5830db4d45ae88192b75c2964a877d6e0b3d02dcb8adcdc9567068010663b0ae9a196192e29cc48b4cc52cf813d97d4f775f2cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\92dae5e7-bdfe-4861-8726-8822d20877f3.vbs

Filesize
730B

MD5
fac1d41be3f05cad24d2edd47e7f6cb8

SHA1
ca21af0b6fcba799eaf460a96ac8774efc95a643

SHA256
e6f2976c465483b21f53cb67109e3f211768b1c27ad42c29e196094eca3c18ae

SHA512
34d481dc35d17549a68b6b79dca18d3c897e0d262371be92e6b08d66ec1d37c75ee9438db5a0862f21219a0b487d288e8aefb5d7626a21ef8e457b8743155891

Download Submit
C:\Users\Admin\AppData\Local\Temp\955e32b5-18b3-4e4a-a917-efc864a20fc9.vbs

Filesize
730B

MD5
475c56732b9fa6848b8cf2cee2b1f4d6

SHA1
daced465e4a9cbc8d56bff81d1e83389d8002edd

SHA256
bf8ea2f1a744c95f98caac20766a0a7593d08377179294f9ca86ff9d434a1a49

SHA512
8581d22fe2b007833812a1f913107b43ffd739023cb241aa5309f339c74b9b5e66ad3871ddede26e25fd797270f5b40bc09c83440964d9bd3b5428c53cc9cf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e3744c8-ddc9-4463-91dd-0770120abe33.vbs

Filesize
506B

MD5
0b865041fd3f879552fc977f7fa3b51e

SHA1
9eb034f528f713ac06664c8caff3246d20cba58b

SHA256
96c06ccbfcb4c79521d06c9308a204aae7667b9d423182414cada52c97f3b5ed

SHA512
3b3f040ad0b45d396ce9a95def346c48cdf51d666e7a17067b5e9afc4679cff42dded284082b3224e516368da3903971ed13d23bd892f484f571bcfd855946d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujsgga55.edf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\befd17de-5d89-4063-8895-922d04078b3f.vbs

Filesize
730B

MD5
b409d418119bae0cc9ac98f668269d75

SHA1
09f669136eb7cd04d802cf604b8928f86c092ddc

SHA256
57b9a71753e90c46e02be14a1b6c94a1e4a004779da7fbae4b82c41ac98db79c

SHA512
5b3882994e4434b31e4f5fb975da0b6889fcf08ad0ca50da59c8d247cb4fff2bc64826d26a078965d1d9c925d18ca0bcd6e2cd5cc6e4dd08ff999c9f1692ea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3e02363-ec7f-405f-8b4d-58411d379923.vbs

Filesize
730B

MD5
88d355d118aa9101e73cd10d8953e9b7

SHA1
94a3bfdad6d909e2ec564b32ecf919d2818f2501

SHA256
3c66353b379d9b7ec251cf6ba239504886f0501562b23f6d0fd748c639bdfbc9

SHA512
b8790058714cc442747fa2e8bb951e55c6ab44766d8a45d6a637166869b00789f1d25510dc1a8d9cf5b6b060f3e449f17f631a8a2e41d875239cc15aff878926

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57328a5-9095-4fc0-ade9-d73020d3943f.vbs

Filesize
729B

MD5
4699b1e76a3ea4174c3adab71d8b5357

SHA1
1e741dcb6c3f202e04545faf291273ada238b29f

SHA256
34d3423b539d59f00281c056b7edca1e047878f012f61bf0b3e8f30bfd7b8a5b

SHA512
c255da3105f151b8b78d694bfe9759ff67cfb9c5ae0d169bfd2b34e2d69807d99a96bbab771cc2b497f31daa6d9ecb0fb1324b4c45dfbdfc2e8033d22a5d17d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfdf802-f036-415e-a0d5-9804d5bf198a.vbs

Filesize
730B

MD5
8ad9bc2083574a29d31b9e9e5798c244

SHA1
ce4c2071482e92c3f1c6de52fd1800e690bf36e2

SHA256
e26a7fb52f9f2b7e853ca1c203718f46738b8d03be5aab0434e4da42f5fcce34

SHA512
d25846ef4877ae107f8f7a8e54cf48e4a0b2fd24cfe52c3681da2e74936d1bca51b6932fefde525829c771b1f4739941fe2704f046722b4f2fd1ecd501d408f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce75ac20-3ca1-4108-a461-b4db6850ea13.vbs

Filesize
730B

MD5
e496f0408c580f7b490fd2078aa9c9e6

SHA1
665b250437c0854a6fc182b4b56573a81bdb0be5

SHA256
ac2c35abf7b82cd016cba442373ace80f92beefcc9479d675e79da8b7c45f2e0

SHA512
a72ef80cd8c9d2960e99ad9e6fdc44a7eca21b0a0ab8ce1f2e39b00cd296f6e6d3d90c203478803d4081d2a16fca1822ff473323acaaea06478aa8f88077b9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dded549c-4853-4e4b-8fd1-fa6c399f14a7.vbs

Filesize
730B

MD5
43b38cbc5b41df944e5ca7a4931900e8

SHA1
9a4d718ffe69aa458ef7cd727eb36edaba004532

SHA256
13eaf7152aeb2a9759f710c361f2c023729a2aaba20c0fda1a2975eca0e79757

SHA512
c098a2c07df8e8cc464e4ec8b3db9b75ab74eb2eb0c1492df7ffb2d117f1dd92b2082c4666c093a81d6a72cd989281b5b3122f8607c17afd413475da5307a689

Download Submit
memory/1108-146-0x00000176F8980000-0x00000176F89A2000-memory.dmp

Filesize
136KB

Download
memory/2016-175-0x00007FFCB9E00000-0x00007FFCBA8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-0-0x00007FFCB9E03000-0x00007FFCB9E05000-memory.dmp

Filesize
8KB

Download
memory/2016-3-0x0000000003210000-0x000000000322C000-memory.dmp

Filesize
112KB

Download
memory/2016-6-0x000000001BD70000-0x000000001BD86000-memory.dmp

Filesize
88KB

Download
memory/2016-7-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/2016-8-0x000000001C3D0000-0x000000001C3E0000-memory.dmp

Filesize
64KB

Download
memory/2016-9-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/2016-11-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

Filesize
48KB

Download
memory/2016-12-0x000000001C3F0000-0x000000001C3FA000-memory.dmp

Filesize
40KB

Download
memory/2016-13-0x000000001C400000-0x000000001C40E000-memory.dmp

Filesize
56KB

Download
memory/2016-14-0x000000001C610000-0x000000001C618000-memory.dmp

Filesize
32KB

Download
memory/2016-16-0x000000001C630000-0x000000001C63A000-memory.dmp

Filesize
40KB

Download
memory/2016-17-0x000000001C640000-0x000000001C64C000-memory.dmp

Filesize
48KB

Download
memory/2016-15-0x000000001C620000-0x000000001C628000-memory.dmp

Filesize
32KB

Download
memory/2016-10-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

Filesize
48KB

Download
memory/2016-4-0x000000001C410000-0x000000001C460000-memory.dmp

Filesize
320KB

Download
memory/2016-5-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/2016-2-0x00007FFCB9E00000-0x00007FFCBA8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-1-0x0000000000FA0000-0x0000000001142000-memory.dmp

Filesize
1.6MB

Download