dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4200	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/5432-1-0x00000000007E0000-0x0000000000982000-memory.dmp	dcrat
behavioral18/files/0x00070000000242d9-26.dat	dcrat
behavioral18/files/0x00070000000242e5-43.dat	dcrat
behavioral18/files/0x000e000000024178-54.dat	dcrat
behavioral18/files/0x00090000000242e9-88.dat	dcrat
behavioral18/memory/4844-193-0x0000000000570000-0x0000000000712000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3568	powershell.exe
4504	powershell.exe
6072	powershell.exe
2336	powershell.exe
4676	powershell.exe
4060	powershell.exe
5560	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 14 IoCs

pid	Process
4844	SearchApp.exe
5940	SearchApp.exe
4720	SearchApp.exe
5272	SearchApp.exe
5032	SearchApp.exe
3520	SearchApp.exe
2604	SearchApp.exe
1916	SearchApp.exe
2368	SearchApp.exe
5260	SearchApp.exe
4320	SearchApp.exe
4644	SearchApp.exe
3784	SearchApp.exe
3460	SearchApp.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Google\Update\eddb19405b7ce1	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\edge_BITS_4632_1251945546\upfc.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX8511.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\edge_BITS_4632_1251945546\RCX87A4.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\edge_BITS_4632_1251945546\upfc.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\edge_BITS_4632_1251945546\ea1d8f6d871115	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX8493.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\edge_BITS_4632_1251945546\RCX8726.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPHost\TextInputHost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Windows\Boot\EFI\bg-BG\dllhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Windows\servicing\es-ES\Idle.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe
336	schtasks.exe
3064	schtasks.exe
1964	schtasks.exe
3132	schtasks.exe
1380	schtasks.exe
3508	schtasks.exe
1940	schtasks.exe
4944	schtasks.exe
3532	schtasks.exe
5232	schtasks.exe
4960	schtasks.exe
5196	schtasks.exe
4704	schtasks.exe
3260	schtasks.exe
3960	schtasks.exe
5000	schtasks.exe
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2336	powershell.exe
2336	powershell.exe
4504	powershell.exe
4504	powershell.exe
6072	powershell.exe
6072	powershell.exe
4060	powershell.exe
4060	powershell.exe
4676	powershell.exe
4676	powershell.exe
3568	powershell.exe
3568	powershell.exe
5560	powershell.exe
5560	powershell.exe
6072	powershell.exe
3568	powershell.exe
4676	powershell.exe
2336	powershell.exe
4504	powershell.exe
4060	powershell.exe
5560	powershell.exe
4844	SearchApp.exe
5940	SearchApp.exe
4720	SearchApp.exe
4720	SearchApp.exe
5272	SearchApp.exe
5272	SearchApp.exe
5032	SearchApp.exe
5032	SearchApp.exe
3520	SearchApp.exe
2604	SearchApp.exe
1916	SearchApp.exe
2368	SearchApp.exe
5260	SearchApp.exe
4320	SearchApp.exe
4644	SearchApp.exe
3784	SearchApp.exe
3460	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	6072	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	4844	SearchApp.exe
Token: SeDebugPrivilege	5940	SearchApp.exe
Token: SeDebugPrivilege	4720	SearchApp.exe
Token: SeDebugPrivilege	5272	SearchApp.exe
Token: SeDebugPrivilege	5032	SearchApp.exe
Token: SeDebugPrivilege	3520	SearchApp.exe
Token: SeDebugPrivilege	2604	SearchApp.exe
Token: SeDebugPrivilege	1916	SearchApp.exe
Token: SeDebugPrivilege	2368	SearchApp.exe
Token: SeDebugPrivilege	5260	SearchApp.exe
Token: SeDebugPrivilege	4320	SearchApp.exe
Token: SeDebugPrivilege	4644	SearchApp.exe
Token: SeDebugPrivilege	3784	SearchApp.exe
Token: SeDebugPrivilege	3460	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5432 wrote to memory of 2336	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	111
PID 5432 wrote to memory of 2336	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	111
PID 5432 wrote to memory of 4676	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	112
PID 5432 wrote to memory of 4676	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	112
PID 5432 wrote to memory of 4060	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	113
PID 5432 wrote to memory of 4060	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	113
PID 5432 wrote to memory of 5560	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	114
PID 5432 wrote to memory of 5560	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	114
PID 5432 wrote to memory of 6072	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	115
PID 5432 wrote to memory of 6072	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	115
PID 5432 wrote to memory of 4504	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	116
PID 5432 wrote to memory of 4504	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	116
PID 5432 wrote to memory of 3568	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	117
PID 5432 wrote to memory of 3568	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	117
PID 5432 wrote to memory of 5524	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	125
PID 5432 wrote to memory of 5524	5432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	125
PID 5524 wrote to memory of 2704	5524	cmd.exe	127
PID 5524 wrote to memory of 2704	5524	cmd.exe	127
PID 5524 wrote to memory of 4844	5524	cmd.exe	133
PID 5524 wrote to memory of 4844	5524	cmd.exe	133
PID 4844 wrote to memory of 6048	4844	SearchApp.exe	135
PID 4844 wrote to memory of 6048	4844	SearchApp.exe	135
PID 4844 wrote to memory of 4452	4844	SearchApp.exe	136
PID 4844 wrote to memory of 4452	4844	SearchApp.exe	136
PID 6048 wrote to memory of 5940	6048	WScript.exe	139
PID 6048 wrote to memory of 5940	6048	WScript.exe	139
PID 5940 wrote to memory of 3392	5940	SearchApp.exe	141
PID 5940 wrote to memory of 3392	5940	SearchApp.exe	141
PID 5940 wrote to memory of 2540	5940	SearchApp.exe	142
PID 5940 wrote to memory of 2540	5940	SearchApp.exe	142
PID 3392 wrote to memory of 4720	3392	WScript.exe	146
PID 3392 wrote to memory of 4720	3392	WScript.exe	146
PID 4720 wrote to memory of 3284	4720	SearchApp.exe	149
PID 4720 wrote to memory of 3284	4720	SearchApp.exe	149
PID 4720 wrote to memory of 4860	4720	SearchApp.exe	150
PID 4720 wrote to memory of 4860	4720	SearchApp.exe	150
PID 3284 wrote to memory of 5272	3284	WScript.exe	152
PID 3284 wrote to memory of 5272	3284	WScript.exe	152
PID 5272 wrote to memory of 4456	5272	SearchApp.exe	154
PID 5272 wrote to memory of 4456	5272	SearchApp.exe	154
PID 5272 wrote to memory of 4636	5272	SearchApp.exe	155
PID 5272 wrote to memory of 4636	5272	SearchApp.exe	155
PID 4456 wrote to memory of 5032	4456	WScript.exe	156
PID 4456 wrote to memory of 5032	4456	WScript.exe	156
PID 5032 wrote to memory of 5000	5032	SearchApp.exe	158
PID 5032 wrote to memory of 5000	5032	SearchApp.exe	158
PID 5032 wrote to memory of 3868	5032	SearchApp.exe	159
PID 5032 wrote to memory of 3868	5032	SearchApp.exe	159
PID 5000 wrote to memory of 3520	5000	WScript.exe	163
PID 5000 wrote to memory of 3520	5000	WScript.exe	163
PID 3520 wrote to memory of 2220	3520	SearchApp.exe	165
PID 3520 wrote to memory of 2220	3520	SearchApp.exe	165
PID 3520 wrote to memory of 3976	3520	SearchApp.exe	166
PID 3520 wrote to memory of 3976	3520	SearchApp.exe	166
PID 2220 wrote to memory of 2604	2220	WScript.exe	169
PID 2220 wrote to memory of 2604	2220	WScript.exe	169
PID 2604 wrote to memory of 1428	2604	SearchApp.exe	171
PID 2604 wrote to memory of 1428	2604	SearchApp.exe	171
PID 2604 wrote to memory of 1644	2604	SearchApp.exe	172
PID 2604 wrote to memory of 1644	2604	SearchApp.exe	172
PID 1428 wrote to memory of 1916	1428	WScript.exe	173
PID 1428 wrote to memory of 1916	1428	WScript.exe	173
PID 1916 wrote to memory of 3392	1916	SearchApp.exe	175
PID 1916 wrote to memory of 3392	1916	SearchApp.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4632_1251945546\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HXYUNDfkzI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5524
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2704
- - C:\Recovery\WindowsRE\SearchApp.exe
    "C:\Recovery\WindowsRE\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af93262-1df7-418d-8a4b-5bfe9b71270d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6048
    - - C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5940
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230a9f8c-0617-4619-8d9b-0a26c1f1adcc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aa0730d-9d10-48e2-a809-44065d962342.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f924487-2716-42c8-bc5a-c8ac5d8d6243.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4d2bc0-b151-4421-afaf-eee325187d19.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d69b5d6-2bd2-4f1b-9316-fc078f08efd6.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843b41e1-cdfc-480c-a74c-d9b0178c2a2a.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11f935c4-4cd0-4994-a14f-414ccd9ff300.vbs"
        18⤵
        
        PID:3392
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d7139c-6b46-408e-9d65-8adaaee29120.vbs"
        20⤵
        
        PID:4676
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c14cf539-9d4d-4939-9430-80562939f6f1.vbs"
        22⤵
        
        PID:4816
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2f64813-02b5-4209-8df4-8b813ab6c32a.vbs"
        24⤵
        
        PID:4756
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be8d6572-6822-4fb0-b55a-008668c76af0.vbs"
        26⤵
        
        PID:5876
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8ca14f3-6f5c-4474-9f31-ae3dcf3fa887.vbs"
        28⤵
        
        PID:5108
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf421ea7-d61b-4cf7-8c2c-0f85c035f814.vbs"
        30⤵
        
        PID:4744
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        31⤵
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\528b275e-3d3f-4006-abee-763c19f96058.vbs"
        30⤵
        
        PID:5744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add92cc0-1370-4241-a7c4-88e1e46d2fa9.vbs"
        28⤵
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b246b04-c545-4322-ae07-32ca199ffc95.vbs"
        26⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d0863d-c3a8-4bc3-8c85-be4c95db0fd0.vbs"
        24⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e448fd12-51bc-4ef4-8a3d-03926088ef9a.vbs"
        22⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3dba6a5-f903-4636-a810-78b14fd7eda0.vbs"
        20⤵
        
        PID:5152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4819ca35-ed78-4d0b-b7bb-ec318fed03c5.vbs"
        18⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ca5dad3-8ea0-4056-984e-ae0225ddb474.vbs"
        16⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6af486a-d05c-48ff-853d-e0cb778aa9b0.vbs"
        14⤵
        
        PID:3976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2a2d205-6f93-4770-b9ea-1aa3cfcaf3a4.vbs"
        12⤵
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ed1fef4-f93d-4ab3-b49d-4ed45b27d10d.vbs"
        10⤵
        
        PID:4636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47b5e3f6-0d02-42d0-93fb-497c7b45c32e.vbs"
        8⤵
        
        PID:4860
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\038a18a7-b700-476e-8e43-247b19c613e7.vbs"
        6⤵
        
        PID:2540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b642e56-9ef7-4264-82cf-7a7661ec417f.vbs"
      4⤵
      PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4632_1251945546\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4632_1251945546\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4632_1251945546\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\34c553de294c1d56d0a800105b\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\34c553de294c1d56d0a800105b\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\backgroundTaskHost.exe

Filesize
1.6MB

MD5
764714f9c3bde7e6882d7a1c5eebb529

SHA1
d40399fc2bf9eee878da321c18644ba9e6e528ce

SHA256
6f4800423bae1077bf2383920f51c83b0e8ab4f7a1c69d7ff7dbcf978410d128

SHA512
797e2b6011cf34c842c264d974fcc653c61b325b88e11be3627421220983c4909627ffb91c2501a8869198f5c301634f60b3a1c859448d7bfb91e6cf365a4d40

Download Submit
C:\Program Files\edge_BITS_4632_1251945546\upfc.exe

Filesize
1.6MB

MD5
0965c207c5d7f5411b89e8e755063e79

SHA1
2a6d7df4b0a7051f263d5150b202392da59c2082

SHA256
6d8adcf3303da302ef286f3ea61c1eb2927f1d9eb538cb5c6e54e0727dc90b28

SHA512
cae1a2f3501b5127233c394e5b271c09aff0a1c019ce178587ea27f9ed9a822c50558dcd637dd800ab3fc074fe7c9180b7d43f237ba484507bf5c6b9f4a53637

Download Submit
C:\Recovery\WindowsRE\SearchApp.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
C:\Recovery\WindowsRE\SearchApp.exe

Filesize
1.6MB

MD5
b414ad520a7ad71bd4acb78978ba445e

SHA1
dcfab0680b3d9a4075cd1eb8a9c9709165b48db2

SHA256
e608c4661a13906dda52d05a8794ff8d0d3caebc54ebbb6aaef12b9fa6f63443

SHA512
45726fa93c75226e0b2fa940b0abff80574161ba9f72f3f7c23c4b37b7d8a2be8f524dd345bd9eaf318de2ccbba8dede56a593437df75f7992e9f570832f9a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f4d10dbf9ff1d91226db0d9ce144033c

SHA1
1fab5ab3cf8b1b48a146c3b83fad67c44c7bd791

SHA256
9d031d7193142f7120476fe181006807652ca4a8caec8fbab3f4e4f86e451049

SHA512
2b2fed18f7ac2e15f990aaab9fc814f040bd387cbf3634b8d2cf22d24bb8fe8c87e88f640190dce2362edcb33cc3296bb76ed462f847cfac8eaab6456000f1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3930c254bc452c4fd482e3059b51aa04

SHA1
1c4bdb41f3a7c9d4ee3b8006cc1c495eedb072e2

SHA256
dc600748250d0dd0ffa2678049fd27ec8e56e262601f3d8a1fd7165b03f97fb8

SHA512
888565d3356b5fc9c5b55d6842c520487219bc2220df2a56cb74686cc36ebd0fbd1ab9f2a17f93e9c15031c8d6366031a4fd2c1f8a6f8cf96bc3a5939f31a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffaa33c7940b1713a06a430414e2fed0

SHA1
b1ade7d02b641ac9c382fad82cb1d31362fafb91

SHA256
a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e

SHA512
61913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\07d7139c-6b46-408e-9d65-8adaaee29120.vbs

Filesize
711B

MD5
7ea5c7240af6d3ae2e55aa8a4e753b80

SHA1
a9f942e5f48e8bd149d9b4e6c06d3c24f57fb5a6

SHA256
46e9f80b3c286688bed3d0623c158aa4f7404f9bc4b90f867cc59b21b294eee6

SHA512
56a6cdaf23b51294c01f36184cfe8daa07050cd892796e76bbfeabf1d943760dee03d55c9c02e9224df0746f03dcbe03525daaa46669d9d14a32dab74d2120b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aa0730d-9d10-48e2-a809-44065d962342.vbs

Filesize
711B

MD5
9661bf35a18037c5800dac6977c7c831

SHA1
0d183fb054d3bb2a195aca554d94692a3f46cf79

SHA256
7653510675b5b8488616b2035d40cc1eb44477239b6b42dcc99a9dae31adefe7

SHA512
34b914469ec0ad2e39046d3396ad86940045c464c6fe6916a9504370006429ea3b547a82d1cefa24500d45048029f335951d8e9c080a6b1d3f130ef6c8e8cc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b642e56-9ef7-4264-82cf-7a7661ec417f.vbs

Filesize
487B

MD5
1b16f17451ade26c7f1f48bbb59db9d9

SHA1
dca5474d66bb63fdc77569b8452f0d597089e49a

SHA256
8fee40080bff1d6963b3b7736293e0b5e21c65aa7e23e6ec59d9c769265d42c7

SHA512
8ffd6c9aee0f5a43ea96a5178c0eb6259d4b78cb4b49e9fe9303c24e38a51486c50ccf583436c660f25f65f6fe54452789a0edad29082e2f04de91e486ad987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\11f935c4-4cd0-4994-a14f-414ccd9ff300.vbs

Filesize
711B

MD5
81541ecb437777f644fc853e387fdea5

SHA1
a1b1763e3ef27eaf7dfacb83e471a9f69f7ac7f1

SHA256
329e1af09a2233d6a3b58e20219f672de120fc5913e942b1677dd030c56bc9a0

SHA512
fcba682b9159bca536ea1e0c7e100e97ca1d25c1a125385cec5c1091e7f445794389d2d609173319fc3650e0157e1aa0c2ff02b381790a26ce628eb89b0cb274

Download Submit
C:\Users\Admin\AppData\Local\Temp\230a9f8c-0617-4619-8d9b-0a26c1f1adcc.vbs

Filesize
711B

MD5
8c1097ef540230fdffc9148040bf758f

SHA1
089e4fc62eaec0d09549c51f651176173b9267aa

SHA256
17446fc0040fd80d31de452cfafd177ef230fc59a706b81c27ad1fc64efbd9f1

SHA512
a1f04cb03c4d64e2d3e9d40625342168f5471df67b04891000c5599e4b5d32c9d345a8cf720a8d13c6d5abece3de67f4db2460601ba0bef8d9c78ee3fddc2454

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f924487-2716-42c8-bc5a-c8ac5d8d6243.vbs

Filesize
711B

MD5
f9d5bc0a63d5a4c4f9ff05ac356b7671

SHA1
984b5c7f8a215e68c94a214d8375e9eb9fc265ff

SHA256
491aeea331fca6fb918e747dae9cb8da938afef2881c0149debff469929988ed

SHA512
8e034287a3e160d48d9f3eac1bcf7b25b124fd31ba3e240834ac6e10736f43852e406ea25b5b380fdccb9dd3dbe2666e67507b4d22259a35ee531ba508da5600

Download Submit
C:\Users\Admin\AppData\Local\Temp\843b41e1-cdfc-480c-a74c-d9b0178c2a2a.vbs

Filesize
711B

MD5
9bf6093359e721eb82358a4a30a02c86

SHA1
2629c27a2713260b5cea3916d513e1509c41c6a1

SHA256
5cd74ec27989d44c72798b39385b17a9fef8d8ad37f26210eeaec15eb4f68440

SHA512
64320e8a25b6d61045779df5f79ef1ec11bdcec287989a1bd167f29fb046539cd4fa53af5a173175eee7d89b6af90a8cded2f231f1dbd838c157aaba5e74ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8af93262-1df7-418d-8a4b-5bfe9b71270d.vbs

Filesize
711B

MD5
65724d7b3484697a1a66eaa2824aa457

SHA1
9ada015beea585c2d2393b07b5721afec2bedcd2

SHA256
8a2166b07a815adf1361f3c85439e75f3f5b0b5a120cdd3192d6c7517340071b

SHA512
43e52624ca1f520d937c557c8300764a0d34f8ee3462a0d358bf7fd5fe8f80b78da68733739e7a6c7cb3be591b0954a1a70ec04fea10d372537261c90bc69722

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d69b5d6-2bd2-4f1b-9316-fc078f08efd6.vbs

Filesize
711B

MD5
8d13bae8a40551748801cd52c9f7d6b4

SHA1
9d96b6e6632590c859fcc36a6e1cde9670eb9425

SHA256
ca975849489a019f936613233b31bebc7ccdc018b20bfda8506043bea5780804

SHA512
99b0021271c429b007994b84af37b6dd3de3544999de69bc9fcbbd8311c2757bbec6f3afdb74e0cceec21b196492124fcad3d84e9069f3dfc7d57c6ffe988412

Download Submit
C:\Users\Admin\AppData\Local\Temp\HXYUNDfkzI.bat

Filesize
200B

MD5
335a45047c78ca492faac57a5428ce9f

SHA1
970c620306b7b1ef45d3d4a607e07231aa964d2d

SHA256
3945e72af0c5d46eb0033a0e3946f14454eda83f728a3108d409017696dbac71

SHA512
4bda2f4efc04d86f02d5282d78b29f38c7dbf2ce052d4072a561651c5e8072d1b0ed03fa534fe2f29d0c3759fb1417aab2d52147b14cc84d5b167caef0e97346

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsp2xral.2j1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2f64813-02b5-4209-8df4-8b813ab6c32a.vbs

Filesize
711B

MD5
e8d441721bb8aa857edb0e2489c933b7

SHA1
cf7421ae533bbeb7e567d790200f8b02e49f39d1

SHA256
519e4834739a348403c4614e6b5ddfd2f0a7506b521669a60724fb01aa0583d6

SHA512
182b422a2d57429083d7100c25b9b3b73d4d7006cfb3b97379291ec1ad28f5a7004c34c909e902407dd091bb236fe0b383d8fa9764147bb2133412fc14fc210b

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8d6572-6822-4fb0-b55a-008668c76af0.vbs

Filesize
711B

MD5
13108cabb7459bc8252e8947377602e7

SHA1
ec88c4779ae4ceb0f2f2fd1cd00a1e086e8c890c

SHA256
cfb5ec34ac841e6572345cef0a96622ee3bf8293f5c33fcddcad08d728914fac

SHA512
6e083f1781ab3449c02c6175ee04682e59a294a1451d9ebab6ed5b51a298811430dba004455967970dd1b2b6963a5f5cbce53bf213a4ff66bd9a0ce54815c1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf421ea7-d61b-4cf7-8c2c-0f85c035f814.vbs

Filesize
711B

MD5
4f3999b14ffe4e7e32b7a233270a2578

SHA1
08486968b19a44ccc1655740debb924bfacb8c42

SHA256
064d0c18c1f531dbdc64d593c8ed5e29b35607e8cb4f2f228a6830660af7128d

SHA512
e63e6929f93a5811f284fb10416a82310107f971ed5af197b440489f6d36bc3f64317a8b4df3b5b2020f8f7d681a7e09f90d078b64c2e72d808b9677a065b7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c14cf539-9d4d-4939-9430-80562939f6f1.vbs

Filesize
711B

MD5
1a655b66433d4bb4d443a24d0c18a4f9

SHA1
a3d0f2fc654e1c1ec183083fa301e10b03c9893f

SHA256
15ea5bb7c51ef0b3eb71862310c8e379dcd2250b75ee4860c2c692e06599b721

SHA512
93110df9b4ebed1e890587ebb3f3e55674c6011399ebc7af09fa2de982a45024eb6976518c4c0a69720160499391312aaa2f0c8376d633e6398900dc5c31956e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc4d2bc0-b151-4421-afaf-eee325187d19.vbs

Filesize
711B

MD5
b5e50cbfc78e081f803ba1df3952d947

SHA1
42c0ea51854cd823f82cf2cb4ebddae54cd92e57

SHA256
49bec6950191110fc70f35f271945428651a118eefc3e7a02150d65e110ea50e

SHA512
b2dd28b283e817a5341d2edac05e750424fbdaec8b14685fa41de1762ff633fd661f415ceb08d29dc75ad96e77e9b498871883804101096e3cae8882daae1a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8ca14f3-6f5c-4474-9f31-ae3dcf3fa887.vbs

Filesize
711B

MD5
9304f23c765b9112f3718daef2b5025e

SHA1
84a4db1e7f4b7e01543bd9b60da5cf9529703f8c

SHA256
0df2ce87fbb10eaea9f3fbd826c6f0e7f51077194f1e8765c02675be2fb1b419

SHA512
22f94d328eeb8e00ff008da1aecc1c737d26a1652e16f85e38986053d3cb2ae2ade84e3c8f5e277395ee997624a656a7f5f5a127d01ade7e617d1d97bb1ac13e

Download Submit
memory/2336-113-0x000001AE51FC0000-0x000001AE51FE2000-memory.dmp

Filesize
136KB

Download
memory/4844-193-0x0000000000570000-0x0000000000712000-memory.dmp

Filesize
1.6MB

Download
memory/5432-12-0x000000001B620000-0x000000001B62A000-memory.dmp

Filesize
40KB

Download
memory/5432-142-0x00007FFB58BD0000-0x00007FFB59691000-memory.dmp

Filesize
10.8MB

Download
memory/5432-17-0x000000001BE90000-0x000000001BE9C000-memory.dmp

Filesize
48KB

Download
memory/5432-15-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/5432-16-0x000000001BE80000-0x000000001BE8A000-memory.dmp

Filesize
40KB

Download
memory/5432-14-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/5432-13-0x000000001B630000-0x000000001B63E000-memory.dmp

Filesize
56KB

Download
memory/5432-1-0x00000000007E0000-0x0000000000982000-memory.dmp

Filesize
1.6MB

Download
memory/5432-11-0x000000001B610000-0x000000001B61C000-memory.dmp

Filesize
48KB

Download
memory/5432-9-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/5432-10-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/5432-7-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/5432-8-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/5432-6-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

Filesize
88KB

Download
memory/5432-5-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/5432-4-0x000000001B650000-0x000000001B6A0000-memory.dmp

Filesize
320KB

Download
memory/5432-3-0x0000000002AB0000-0x0000000002ACC000-memory.dmp

Filesize
112KB

Download
memory/5432-2-0x00007FFB58BD0000-0x00007FFB59691000-memory.dmp

Filesize
10.8MB

Download
memory/5432-0-0x00007FFB58BD3000-0x00007FFB58BD5000-memory.dmp

Filesize
8KB

Download