dcrat | 5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92efd55895cd60b5057f3fb06ad84c78.exe
Size

1.6MB
MD5

92efd55895cd60b5057f3fb06ad84c78
SHA1

b3217c713b801276d98065e1eca81868545ebd02
SHA256

fd4af6cd1bb01129d61f2bb85c6f0e5dcb3c9cac02229988589ff93666be273c
SHA512

5cf3918370d98a5492496f82e69bef529fb426879e3293808ead5bb2f97e0bdcd30d288b25438a8b2009f58fd8eee522d0f1bb46ce359518a09a50a47794ae5c
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1880	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1880	schtasks.exe	87

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/5728-1-0x0000000000580000-0x0000000000722000-memory.dmp	dcrat
behavioral30/files/0x0007000000024287-26.dat	dcrat
behavioral30/files/0x0009000000024290-53.dat	dcrat
behavioral30/files/0x000b00000002427a-66.dat	dcrat
behavioral30/files/0x000900000002427f-77.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3096	powershell.exe
3928	powershell.exe
2964	powershell.exe
3052	powershell.exe
868	powershell.exe
816	powershell.exe
404	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	92efd55895cd60b5057f3fb06ad84c78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 14 IoCs

pid	Process
3068	TextInputHost.exe
4640	TextInputHost.exe
3092	TextInputHost.exe
4164	TextInputHost.exe
5412	TextInputHost.exe
4108	TextInputHost.exe
5728	TextInputHost.exe
4492	TextInputHost.exe
3644	TextInputHost.exe
4528	TextInputHost.exe
6064	TextInputHost.exe
2676	TextInputHost.exe
1080	TextInputHost.exe
3932	TextInputHost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\22eafd247d37c3	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCX8074.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX8279.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX78EC.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCX7FF6.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX8278.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\eddb19405b7ce1	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files (x86)\Microsoft.NET\5b884080fd4f94	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX78EB.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	92efd55895cd60b5057f3fb06ad84c78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	92efd55895cd60b5057f3fb06ad84c78.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4140	schtasks.exe
5028	schtasks.exe
4124	schtasks.exe
2196	schtasks.exe
2684	schtasks.exe
5016	schtasks.exe
2976	schtasks.exe
3292	schtasks.exe
4892	schtasks.exe
3520	schtasks.exe
5048	schtasks.exe
3856	schtasks.exe
4312	schtasks.exe
1568	schtasks.exe
3656	schtasks.exe
2928	schtasks.exe
5068	schtasks.exe
4968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
5728	92efd55895cd60b5057f3fb06ad84c78.exe
404	powershell.exe
404	powershell.exe
3096	powershell.exe
3096	powershell.exe
2964	powershell.exe
2964	powershell.exe
3928	powershell.exe
3928	powershell.exe
3052	powershell.exe
3052	powershell.exe
816	powershell.exe
816	powershell.exe
868	powershell.exe
868	powershell.exe
404	powershell.exe
3096	powershell.exe
2964	powershell.exe
3928	powershell.exe
3052	powershell.exe
816	powershell.exe
868	powershell.exe
3068	TextInputHost.exe
4640	TextInputHost.exe
3092	TextInputHost.exe
4164	TextInputHost.exe
4164	TextInputHost.exe
5412	TextInputHost.exe
5412	TextInputHost.exe
4108	TextInputHost.exe
5728	TextInputHost.exe
4492	TextInputHost.exe
3644	TextInputHost.exe
4528	TextInputHost.exe
6064	TextInputHost.exe
2676	TextInputHost.exe
1080	TextInputHost.exe
3932	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5728	92efd55895cd60b5057f3fb06ad84c78.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3068	TextInputHost.exe
Token: SeDebugPrivilege	4640	TextInputHost.exe
Token: SeDebugPrivilege	3092	TextInputHost.exe
Token: SeDebugPrivilege	4164	TextInputHost.exe
Token: SeDebugPrivilege	5412	TextInputHost.exe
Token: SeDebugPrivilege	4108	TextInputHost.exe
Token: SeDebugPrivilege	5728	TextInputHost.exe
Token: SeDebugPrivilege	4492	TextInputHost.exe
Token: SeDebugPrivilege	3644	TextInputHost.exe
Token: SeDebugPrivilege	4528	TextInputHost.exe
Token: SeDebugPrivilege	6064	TextInputHost.exe
Token: SeDebugPrivilege	2676	TextInputHost.exe
Token: SeDebugPrivilege	1080	TextInputHost.exe
Token: SeDebugPrivilege	3932	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5728 wrote to memory of 404	5728	92efd55895cd60b5057f3fb06ad84c78.exe	152
PID 5728 wrote to memory of 404	5728	92efd55895cd60b5057f3fb06ad84c78.exe	152
PID 5728 wrote to memory of 816	5728	92efd55895cd60b5057f3fb06ad84c78.exe	111
PID 5728 wrote to memory of 816	5728	92efd55895cd60b5057f3fb06ad84c78.exe	111
PID 5728 wrote to memory of 868	5728	92efd55895cd60b5057f3fb06ad84c78.exe	112
PID 5728 wrote to memory of 868	5728	92efd55895cd60b5057f3fb06ad84c78.exe	112
PID 5728 wrote to memory of 3052	5728	92efd55895cd60b5057f3fb06ad84c78.exe	114
PID 5728 wrote to memory of 3052	5728	92efd55895cd60b5057f3fb06ad84c78.exe	114
PID 5728 wrote to memory of 2964	5728	92efd55895cd60b5057f3fb06ad84c78.exe	115
PID 5728 wrote to memory of 2964	5728	92efd55895cd60b5057f3fb06ad84c78.exe	115
PID 5728 wrote to memory of 3928	5728	92efd55895cd60b5057f3fb06ad84c78.exe	116
PID 5728 wrote to memory of 3928	5728	92efd55895cd60b5057f3fb06ad84c78.exe	116
PID 5728 wrote to memory of 3096	5728	92efd55895cd60b5057f3fb06ad84c78.exe	117
PID 5728 wrote to memory of 3096	5728	92efd55895cd60b5057f3fb06ad84c78.exe	117
PID 5728 wrote to memory of 3764	5728	92efd55895cd60b5057f3fb06ad84c78.exe	124
PID 5728 wrote to memory of 3764	5728	92efd55895cd60b5057f3fb06ad84c78.exe	124
PID 3764 wrote to memory of 4180	3764	cmd.exe	126
PID 3764 wrote to memory of 4180	3764	cmd.exe	126
PID 3764 wrote to memory of 3068	3764	cmd.exe	132
PID 3764 wrote to memory of 3068	3764	cmd.exe	132
PID 3068 wrote to memory of 2828	3068	TextInputHost.exe	134
PID 3068 wrote to memory of 2828	3068	TextInputHost.exe	134
PID 3068 wrote to memory of 3292	3068	TextInputHost.exe	135
PID 3068 wrote to memory of 3292	3068	TextInputHost.exe	135
PID 2828 wrote to memory of 4640	2828	WScript.exe	138
PID 2828 wrote to memory of 4640	2828	WScript.exe	138
PID 4640 wrote to memory of 5732	4640	TextInputHost.exe	140
PID 4640 wrote to memory of 5732	4640	TextInputHost.exe	140
PID 4640 wrote to memory of 1772	4640	TextInputHost.exe	141
PID 4640 wrote to memory of 1772	4640	TextInputHost.exe	141
PID 5732 wrote to memory of 3092	5732	WScript.exe	143
PID 5732 wrote to memory of 3092	5732	WScript.exe	143
PID 3092 wrote to memory of 5576	3092	TextInputHost.exe	147
PID 3092 wrote to memory of 5576	3092	TextInputHost.exe	147
PID 3092 wrote to memory of 1776	3092	TextInputHost.exe	148
PID 3092 wrote to memory of 1776	3092	TextInputHost.exe	148
PID 5576 wrote to memory of 4164	5576	WScript.exe	157
PID 5576 wrote to memory of 4164	5576	WScript.exe	157
PID 4164 wrote to memory of 3520	4164	TextInputHost.exe	159
PID 4164 wrote to memory of 3520	4164	TextInputHost.exe	159
PID 4164 wrote to memory of 4620	4164	TextInputHost.exe	160
PID 4164 wrote to memory of 4620	4164	TextInputHost.exe	160
PID 3520 wrote to memory of 5412	3520	WScript.exe	161
PID 3520 wrote to memory of 5412	3520	WScript.exe	161
PID 5412 wrote to memory of 5828	5412	TextInputHost.exe	163
PID 5412 wrote to memory of 5828	5412	TextInputHost.exe	163
PID 5412 wrote to memory of 2196	5412	TextInputHost.exe	164
PID 5412 wrote to memory of 2196	5412	TextInputHost.exe	164
PID 5828 wrote to memory of 4108	5828	WScript.exe	166
PID 5828 wrote to memory of 4108	5828	WScript.exe	166
PID 4108 wrote to memory of 4640	4108	TextInputHost.exe	168
PID 4108 wrote to memory of 4640	4108	TextInputHost.exe	168
PID 4108 wrote to memory of 2428	4108	TextInputHost.exe	169
PID 4108 wrote to memory of 2428	4108	TextInputHost.exe	169
PID 4640 wrote to memory of 5728	4640	WScript.exe	170
PID 4640 wrote to memory of 5728	4640	WScript.exe	170
PID 5728 wrote to memory of 4600	5728	TextInputHost.exe	172
PID 5728 wrote to memory of 4600	5728	TextInputHost.exe	172
PID 5728 wrote to memory of 5448	5728	TextInputHost.exe	173
PID 5728 wrote to memory of 5448	5728	TextInputHost.exe	173
PID 4600 wrote to memory of 4492	4600	WScript.exe	175
PID 4600 wrote to memory of 4492	4600	WScript.exe	175
PID 4492 wrote to memory of 3604	4492	TextInputHost.exe	177
PID 4492 wrote to memory of 3604	4492	TextInputHost.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe
"C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2D66yhLWpd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b87f8b81-2a10-4397-855b-9cc7659ce09a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6005c7c0-1aa7-45a1-99ee-900a0ea07023.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32227afa-563e-4a14-8030-7be1247633ac.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e9ab11-1b78-4d89-a44c-12229c4f0a78.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbbd836e-5eae-46fa-b828-6703af8a3168.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\497061f3-5df3-4af1-9905-25f885084692.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8df212-86e5-4749-9ec7-5888d93c9035.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3984060-b7ca-434f-b522-9e34b59a3d64.vbs"
        18⤵
        
        PID:3604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b82d5008-2fde-47f1-9725-13e8ff7f7118.vbs"
        20⤵
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\290ed638-3f4a-4784-89c9-218e42d5cbc6.vbs"
        22⤵
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44b3969f-389f-4aa3-99f7-1aad0496d971.vbs"
        24⤵
        
        PID:6116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df187467-4a3c-410d-a603-56a9a61dfaca.vbs"
        26⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faeb3ec6-b87e-46f0-b6ff-e3a779995b19.vbs"
        28⤵
        
        PID:2112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54afa389-104b-4b03-9ee6-bb4bd1a4e9ff.vbs"
        30⤵
        
        PID:5528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\617a10e7-1e17-49e2-8386-3fe2271958b4.vbs"
        30⤵
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a5e8ae9-43b8-46c2-b4b7-26bb9c20d973.vbs"
        28⤵
        
        PID:3468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cd285d6-33bd-4710-a972-d8c8f2c53e33.vbs"
        26⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b336829-b903-40d7-8b85-23835e6ef487.vbs"
        24⤵
        
        PID:3772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba9bf83-9cc0-4ed4-8615-91a63f3e91e7.vbs"
        22⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f9e2c0-f625-479c-a343-7f4bf6c8dfce.vbs"
        20⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f1e0cb-41e9-4834-8bcb-499b33323116.vbs"
        18⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a719b489-c285-49b8-8dd6-d7953c3dfae2.vbs"
        16⤵
        
        PID:5448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447172aa-c9b1-44c5-b19b-56a2f5520444.vbs"
        14⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f45b22-db69-4b88-ba5d-6ffd19b63279.vbs"
        12⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ddd24e1-96d5-41f7-85d2-3105d34aa0b7.vbs"
        10⤵
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4faded02-c150-4feb-9f40-96698878362c.vbs"
        8⤵
        
        PID:1776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17a6cc2-4314-4c2f-8b8a-7116504e4294.vbs"
        6⤵
        
        PID:1772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50b7e04a-de21-4e0b-9d97-802460dbc241.vbs"
      4⤵
      PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe

Filesize
1.6MB

MD5
5a96fc318ca564aac965410929381a80

SHA1
523e13f4a1f5fc64a1cb7cc8677a9d91f1691dbe

SHA256
1534c37d95ded9c007f879d6654b98441538fc73aea9f080dd7b4de12039f366

SHA512
0862331f8f40408dcfcb49c22a65888c59e5652c8d9623a5548f39de65bdeb19b2d301b232088c9ae2b9f6c6ca8bbf2aa92050ac1cf254cf3c8c571b98840bcb

Download Submit
C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe

Filesize
1.6MB

MD5
92efd55895cd60b5057f3fb06ad84c78

SHA1
b3217c713b801276d98065e1eca81868545ebd02

SHA256
fd4af6cd1bb01129d61f2bb85c6f0e5dcb3c9cac02229988589ff93666be273c

SHA512
5cf3918370d98a5492496f82e69bef529fb426879e3293808ead5bb2f97e0bdcd30d288b25438a8b2009f58fd8eee522d0f1bb46ce359518a09a50a47794ae5c

Download Submit
C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe

Filesize
1.6MB

MD5
eeeb8d0e850f034b3cbafb4896cb3a8b

SHA1
15c4b7f286bec427df344255fff3c69381d48454

SHA256
029041b26ac4587b6d24cb02461bfa828d81f7ca3959d84823d9d343b325e67d

SHA512
b761c548a66f3cab25e964b63c4dd06f3a8ba4d86e9db86eee316d934300868349073defea1a51af7226f9b8e8e908f0a1c9ed7ca90e6223979e84bb675879e2

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
1.6MB

MD5
fd15831c6e0b72730796669df9576e81

SHA1
fd5ddd88327980bfdb010658b591048d8200ebe9

SHA256
74ca3d63a7cbd0003dd033430a9d051bda6c449cad624e9da9cb22af0b609b60

SHA512
b46e3b02244d1ebecc39001dd40a211972ccd106897f39ee3bee6061cdbde77cb947597aa969c414bf51644240034c744e4f1cffef5d0867364cca4158528fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7e1db446e63a2aae76cd85440a08856

SHA1
c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

SHA256
7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

SHA512
dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
585ae509b29294ceb1637c32af422246

SHA1
e21edbd701684feb5ae759179580b7112b49e5c0

SHA256
364297915313f721d05e88312a8ad352c1edc72833b320c04cb640ecd4544cc1

SHA512
b484e5f7b67cdd752800ba2e4240329dfe0fd83bf01cbad869f8a3d7c9ab041e400c421ddc7652634067af8d8eb7c21a1e48420ee2685f9d7d914ecc57572b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b9ebff96ce87bb2948f7decf425a335

SHA1
3172582f4a97c15d0c5162c547fe81b811de8e74

SHA256
9e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c

SHA512
4eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357

Download Submit
C:\Users\Admin\AppData\Local\Temp\15e9ab11-1b78-4d89-a44c-12229c4f0a78.vbs

Filesize
743B

MD5
541dc8c2668a7d0944f4027a882d98b7

SHA1
7fe0961ec81b70a24406f999ac78fe8282038748

SHA256
40307819089b2c1b0e3f292ab98f8d07da5041c3cade79a10f8657d6728df320

SHA512
89dee5d517fe6ad0d78d27e84723bdd30a51a872e81b124812725e3f89a4f203e754e04f95d2a7a772a914920b68ce2271f977df39e513e641525d695fba53ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\290ed638-3f4a-4784-89c9-218e42d5cbc6.vbs

Filesize
743B

MD5
dba271e4ecc793eb7836291706ac2564

SHA1
698264af882526537826cf9579619579b4200609

SHA256
a7c1474d2ca4016de4ad0fcab6f94acad4295f949b8d4eea8f8ab0b20bc6b460

SHA512
7ecdebb3c1d527322fe26024e6a8e531090e2d888304e1b18cffd1cbd40f32fa64d81424197d111642b1934bbbae628bbe21b77a8615863f51d5ea373537fa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D66yhLWpd.bat

Filesize
232B

MD5
10b7376e0576119f7c8d032c375d50cf

SHA1
a9bdd5aeb9144adab9e730ae24ee2949247faa69

SHA256
5099d5f07a9c442629c0f8a065f5f355e0f43feb1bf4741219ee5151c8b87999

SHA512
55e1ee49ff1ff1eb76a14a8784b9f0c232ae6139a58dab6d452d515431575755fb2760979ac7dbe79e22dd4fb64bfe049ff90c104a74a7f8a563976253507b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32227afa-563e-4a14-8030-7be1247633ac.vbs

Filesize
743B

MD5
823a3fb8c960ea785310cd55c989c399

SHA1
5669b31ea78524a839448769ded758d2a2f527c9

SHA256
e0c1ae38050cb911b41e66c457d20b6b7a4cc17df964d15ef13d5606ba12d35c

SHA512
fd5c05871d74ac729be8ad8541bedf66234b5219169c716a278a187ca7ae1ef89d285cb9a04110461e99cf3845f0923f09a4ed0221c39661e5084055e1de6ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e8df212-86e5-4749-9ec7-5888d93c9035.vbs

Filesize
743B

MD5
0138ee3332fc71a1a7e10be3a1aefe1e

SHA1
5d0373582354a9193bf811d50295e23dbbee9691

SHA256
3f9d78b486abb96ff3b86e42aecb94d72a1e692c42e6d172f8ef0b66daf83068

SHA512
161ae84c1eae67f07640ee4c55ea013749dc54bfb0eeb31db1b4bd6f10f966e5885def6a32eb782eeb8de6e8ae02f4a2dae44877ecec4e2971134549fe15a6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44b3969f-389f-4aa3-99f7-1aad0496d971.vbs

Filesize
743B

MD5
3f2e07187e0bd1d8ff670b9d5f704a06

SHA1
36072d99d2b31545c545a12ca6baf25b499f9474

SHA256
a0d0f91e52ead261563af59f00f0cc7da48f9e75ba0ce45b42f4d7bced2b76a0

SHA512
3a091924bda9c6087de2dcc3f02fe19f8829f6ac792ede6c5119532b21284e1fec16196ea849f9cded9bb2f181ee883539243c99c7d45614cad88b83187d06d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\497061f3-5df3-4af1-9905-25f885084692.vbs

Filesize
743B

MD5
649b96c3330f7a827b26e48cc42199f5

SHA1
037500c977e5915af51e075106cb8f95f0255efd

SHA256
582e2bfec4e1974137bcd14978604a90aedf3f9d383c778ea28ddf9e2f240e11

SHA512
8e23b6dfc4aae1ff834fafc772eddf8214f9ec750301d38b2a1f9ad915d8b4340c0a8e4d3171ad21da6d16e3d4804578264a96c31cfcafab6a45125e7f7258fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\50b7e04a-de21-4e0b-9d97-802460dbc241.vbs

Filesize
519B

MD5
badd35c566b17b39fca9d3a146c33f54

SHA1
540ac121281d6988d572670e23c53b9266e3134c

SHA256
766eda440a11c908987e33afa2f172017a54626c9f865131f7edfdc020dd838c

SHA512
f197d303ea270ddbc6859f0bd0659b4eb715603e695ff4095ffb3e1d479ef80508dda9ee13503f0e5bac1b05dce1f5d945ef467578eb27b9edc17b4176352e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\54afa389-104b-4b03-9ee6-bb4bd1a4e9ff.vbs

Filesize
743B

MD5
0f9b1eaa434ed49e3c0c2a6267b0424a

SHA1
080475fc30eac76cfc9ddad63c8d7085c6011fbb

SHA256
02a7b595e40d6fe35f066c2f1414ebcc0855f17a676a899eece3837d227be0d4

SHA512
b23d90f72a4e294f976d9550ad668da3d8755a31344bc9b6a7ed01fd033da4c5368b77ab01e854bd472f8c4717a8dbcc298a788dbdfbf09b713ed83fca44ddb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6005c7c0-1aa7-45a1-99ee-900a0ea07023.vbs

Filesize
743B

MD5
5e93527611559840795faa848a730872

SHA1
a953525b5ca3af98e650e6ccbe877069026e51b1

SHA256
eb60f0930de9b8394244fe2e9e1cc37d479406d874e0019b1aefae4207bf9cae

SHA512
700fd48dcf44e086c72e5cca4af82da2fab0cd798aca5ba400ce318b25a66071975c27da49f45ad7217851056ebe257e8502d736597cae670c370792c95936f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qivak5mh.xse.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b82d5008-2fde-47f1-9725-13e8ff7f7118.vbs

Filesize
743B

MD5
96a8a5318eb6735bf9811fcb4243c186

SHA1
61d657a5225bdac91cae80763d7f78d584082a6d

SHA256
45db9f492a0b6e2bc62b902fd7e8db4ea0241e9df757b412e246b79894d5f023

SHA512
312be6383dea5ee2db321530660a9b0afe0e43a14b3f9d706bd4f61d977e0bb8a0538120949188c3cdfbe4ac6b32c5127761ba93c8c35beaf57cba6a486f3a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b87f8b81-2a10-4397-855b-9cc7659ce09a.vbs

Filesize
743B

MD5
10c7f5ffafc955e01428b887d0adb746

SHA1
2a67831f59a092803c1a574cbdbcc4522a5bbf65

SHA256
f99364c58997838e49808fe6183888404a3e38a6cbfc53894a4849dcfcfd5900

SHA512
0af1973345ed22f8fa816deccb43c6a24727cf94584e89c4214b1f0cb4bdeae952d05077164c7ac242f3bfcce62a388cd873d8d11b46e1fdcdd62eda8778cb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3984060-b7ca-434f-b522-9e34b59a3d64.vbs

Filesize
743B

MD5
782ce8abc826758142fed383b4e597c4

SHA1
41f04a995f9c777806e592ea1e862fb11812d84b

SHA256
8ad1fd575f207975f9333917b398c5e0ef4a646e090d1a8a880724e9cb45f36d

SHA512
cd6a53ae03f82e282b4f1bc2edeaa4d56b581bbedbe3709373401299d3c48a46867051fd62d987865179d0ccfbd6a9395cb760dcaa6f387617a4fba8c17fc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbbd836e-5eae-46fa-b828-6703af8a3168.vbs

Filesize
743B

MD5
ca9e918acebec0c2993ec648729cd0f3

SHA1
daca21e06e38968516e498abd3b2fb5fc0a85764

SHA256
57b61e5ba1300c74ac1a9c46c2ba5483e9b2886d77c2c89fe1836f98adab8cac

SHA512
c5bf64d531b3057903dee42b80450240a20c3b823c31a159de4f7c4b738cc1d090c3dfbf13a71d441a49a4e136c4835f68c7409026a4091dadef50d434bb7271

Download Submit
C:\Users\Admin\AppData\Local\Temp\df187467-4a3c-410d-a603-56a9a61dfaca.vbs

Filesize
743B

MD5
afe27402e1a3425b0aae4247aab97392

SHA1
7c0057abb6ff6b7bb83ef24146cf1d6655f4cbbf

SHA256
0e218085e32b3eb9fd9f2d7a76ed0530cdc209798670ec920188c22249ca5b79

SHA512
05f7915b1040d0a2930b0cba64c5a1aeadded96f1afaf047c508391ecff75f37794fcf14fa8a3f9a5502ca836d0f8f4eb63a91b552e043e83816af8092264d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\faeb3ec6-b87e-46f0-b6ff-e3a779995b19.vbs

Filesize
743B

MD5
ddd8d1b590d48a6a8d56f6a30f0aa409

SHA1
ae4f1e7f746264b5258b7747acc13f0640ab14d1

SHA256
383e8d6dc540c881179983c8efd8b21c9cb14759746167e4692aab4c1a4ecb87

SHA512
a79333b4bf9b9f2333f1e0517bc1332b8916ad1320262b86ddc81d6ad7fe0e3b4cb85b2508e68d620fac7f723466bb87fded9d1ded4c8c2b3eb14e41c59f16e6

Download Submit
memory/404-118-0x0000019271FA0000-0x0000019271FC2000-memory.dmp

Filesize
136KB

Download
memory/5728-17-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/5728-11-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/5728-14-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/5728-12-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/5728-15-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/5728-6-0x000000001B970000-0x000000001B986000-memory.dmp

Filesize
88KB

Download
memory/5728-16-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/5728-10-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/5728-8-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/5728-13-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/5728-5-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/5728-4-0x000000001B9C0000-0x000000001BA10000-memory.dmp

Filesize
320KB

Download
memory/5728-9-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/5728-129-0x00007FFD30320000-0x00007FFD30DE1000-memory.dmp

Filesize
10.8MB

Download
memory/5728-3-0x000000001B950000-0x000000001B96C000-memory.dmp

Filesize
112KB

Download
memory/5728-2-0x00007FFD30320000-0x00007FFD30DE1000-memory.dmp

Filesize
10.8MB

Download
memory/5728-0-0x00007FFD30323000-0x00007FFD30325000-memory.dmp

Filesize
8KB

Download
memory/5728-7-0x000000001B990000-0x000000001B998000-memory.dmp

Filesize
32KB

Download
memory/5728-1-0x0000000000580000-0x0000000000722000-memory.dmp

Filesize
1.6MB

Download