dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
60s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855deb7775f714f1fc46d29fea8008d7.exe
Size

1.6MB
MD5

855deb7775f714f1fc46d29fea8008d7
SHA1

421d56096458fc456190f7c8d13fa3435c051264
SHA256

795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
SHA512

7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2620	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	2620	schtasks.exe	87

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/3476-1-0x0000000000890000-0x0000000000A32000-memory.dmp	dcrat
behavioral10/files/0x000300000001e59d-26.dat	dcrat
behavioral10/files/0x000300000001e723-125.dat	dcrat
behavioral10/files/0x000600000001eae5-161.dat	dcrat
behavioral10/files/0x00090000000240ef-172.dat	dcrat
behavioral10/files/0x000800000001ebd8-183.dat	dcrat
behavioral10/memory/5896-367-0x0000000000400000-0x00000000005A2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3452	powershell.exe
2332	powershell.exe
1296	powershell.exe
3832	powershell.exe
3036	powershell.exe
4188	powershell.exe
3188	powershell.exe
960	powershell.exe
3968	powershell.exe
4016	powershell.exe
3364	powershell.exe
3540	powershell.exe
2848	powershell.exe
3552	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	855deb7775f714f1fc46d29fea8008d7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 5 IoCs

pid	Process
5896	unsecapp.exe
3560	unsecapp.exe
1928	unsecapp.exe
5752	unsecapp.exe
5676	unsecapp.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Security\RCX885C.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX9877.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX9878.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Common Files\Services\5b884080fd4f94	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Security\RCX885D.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Windows Security\SppExtComObj.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Security\SppExtComObj.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Windows Security\e1ef82546f0b02	855deb7775f714f1fc46d29fea8008d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	855deb7775f714f1fc46d29fea8008d7.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4016	schtasks.exe
960	schtasks.exe
836	schtasks.exe
4180	schtasks.exe
2104	schtasks.exe
5092	schtasks.exe
4592	schtasks.exe
2212	schtasks.exe
404	schtasks.exe
4380	schtasks.exe
4944	schtasks.exe
3976	schtasks.exe
812	schtasks.exe
4056	schtasks.exe
536	schtasks.exe
4140	schtasks.exe
2544	schtasks.exe
3036	schtasks.exe
2040	schtasks.exe
5004	schtasks.exe
2332	schtasks.exe
4556	schtasks.exe
4416	schtasks.exe
3716	schtasks.exe
532	schtasks.exe
1664	schtasks.exe
976	schtasks.exe
2772	schtasks.exe
2384	schtasks.exe
704	schtasks.exe
4704	schtasks.exe
4560	schtasks.exe
1292	schtasks.exe
2184	schtasks.exe
4888	schtasks.exe
4392	schtasks.exe
4544	schtasks.exe
3540	schtasks.exe
1228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3476	855deb7775f714f1fc46d29fea8008d7.exe
3540	powershell.exe
3540	powershell.exe
3832	powershell.exe
3832	powershell.exe
3036	powershell.exe
2848	powershell.exe
3036	powershell.exe
2848	powershell.exe
3364	powershell.exe
3364	powershell.exe
4188	powershell.exe
4188	powershell.exe
3968	powershell.exe
3968	powershell.exe
960	powershell.exe
960	powershell.exe
3452	powershell.exe
3452	powershell.exe
4016	powershell.exe
4016	powershell.exe
1296	powershell.exe
1296	powershell.exe
2332	powershell.exe
2332	powershell.exe
3552	powershell.exe
3552	powershell.exe
3188	powershell.exe
3188	powershell.exe
3552	powershell.exe
4188	powershell.exe
3832	powershell.exe
3832	powershell.exe
2848	powershell.exe
3540	powershell.exe
3540	powershell.exe
3364	powershell.exe
3036	powershell.exe
3968	powershell.exe
3452	powershell.exe
960	powershell.exe
2332	powershell.exe
3188	powershell.exe
1296	powershell.exe
4016	powershell.exe
5896	unsecapp.exe
3560	unsecapp.exe
1928	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	855deb7775f714f1fc46d29fea8008d7.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	5896	unsecapp.exe
Token: SeDebugPrivilege	3560	unsecapp.exe
Token: SeDebugPrivilege	1928	unsecapp.exe
Token: SeDebugPrivilege	5752	unsecapp.exe
Token: SeDebugPrivilege	5676	unsecapp.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 3832	3476	855deb7775f714f1fc46d29fea8008d7.exe	131
PID 3476 wrote to memory of 3832	3476	855deb7775f714f1fc46d29fea8008d7.exe	131
PID 3476 wrote to memory of 3540	3476	855deb7775f714f1fc46d29fea8008d7.exe	132
PID 3476 wrote to memory of 3540	3476	855deb7775f714f1fc46d29fea8008d7.exe	132
PID 3476 wrote to memory of 2848	3476	855deb7775f714f1fc46d29fea8008d7.exe	133
PID 3476 wrote to memory of 2848	3476	855deb7775f714f1fc46d29fea8008d7.exe	133
PID 3476 wrote to memory of 3036	3476	855deb7775f714f1fc46d29fea8008d7.exe	134
PID 3476 wrote to memory of 3036	3476	855deb7775f714f1fc46d29fea8008d7.exe	134
PID 3476 wrote to memory of 1296	3476	855deb7775f714f1fc46d29fea8008d7.exe	135
PID 3476 wrote to memory of 1296	3476	855deb7775f714f1fc46d29fea8008d7.exe	135
PID 3476 wrote to memory of 2332	3476	855deb7775f714f1fc46d29fea8008d7.exe	140
PID 3476 wrote to memory of 2332	3476	855deb7775f714f1fc46d29fea8008d7.exe	140
PID 3476 wrote to memory of 3364	3476	855deb7775f714f1fc46d29fea8008d7.exe	141
PID 3476 wrote to memory of 3364	3476	855deb7775f714f1fc46d29fea8008d7.exe	141
PID 3476 wrote to memory of 3452	3476	855deb7775f714f1fc46d29fea8008d7.exe	142
PID 3476 wrote to memory of 3452	3476	855deb7775f714f1fc46d29fea8008d7.exe	142
PID 3476 wrote to memory of 3552	3476	855deb7775f714f1fc46d29fea8008d7.exe	143
PID 3476 wrote to memory of 3552	3476	855deb7775f714f1fc46d29fea8008d7.exe	143
PID 3476 wrote to memory of 4188	3476	855deb7775f714f1fc46d29fea8008d7.exe	144
PID 3476 wrote to memory of 4188	3476	855deb7775f714f1fc46d29fea8008d7.exe	144
PID 3476 wrote to memory of 4016	3476	855deb7775f714f1fc46d29fea8008d7.exe	145
PID 3476 wrote to memory of 4016	3476	855deb7775f714f1fc46d29fea8008d7.exe	145
PID 3476 wrote to memory of 3968	3476	855deb7775f714f1fc46d29fea8008d7.exe	146
PID 3476 wrote to memory of 3968	3476	855deb7775f714f1fc46d29fea8008d7.exe	146
PID 3476 wrote to memory of 960	3476	855deb7775f714f1fc46d29fea8008d7.exe	147
PID 3476 wrote to memory of 960	3476	855deb7775f714f1fc46d29fea8008d7.exe	147
PID 3476 wrote to memory of 3188	3476	855deb7775f714f1fc46d29fea8008d7.exe	148
PID 3476 wrote to memory of 3188	3476	855deb7775f714f1fc46d29fea8008d7.exe	148
PID 3476 wrote to memory of 1912	3476	855deb7775f714f1fc46d29fea8008d7.exe	160
PID 3476 wrote to memory of 1912	3476	855deb7775f714f1fc46d29fea8008d7.exe	160
PID 1912 wrote to memory of 5444	1912	cmd.exe	162
PID 1912 wrote to memory of 5444	1912	cmd.exe	162
PID 1912 wrote to memory of 5896	1912	cmd.exe	164
PID 1912 wrote to memory of 5896	1912	cmd.exe	164
PID 5896 wrote to memory of 6076	5896	unsecapp.exe	165
PID 5896 wrote to memory of 6076	5896	unsecapp.exe	165
PID 5896 wrote to memory of 6124	5896	unsecapp.exe	166
PID 5896 wrote to memory of 6124	5896	unsecapp.exe	166
PID 6076 wrote to memory of 3560	6076	WScript.exe	167
PID 6076 wrote to memory of 3560	6076	WScript.exe	167
PID 3560 wrote to memory of 5140	3560	unsecapp.exe	168
PID 3560 wrote to memory of 5140	3560	unsecapp.exe	168
PID 3560 wrote to memory of 5184	3560	unsecapp.exe	169
PID 3560 wrote to memory of 5184	3560	unsecapp.exe	169
PID 5140 wrote to memory of 1928	5140	WScript.exe	178
PID 5140 wrote to memory of 1928	5140	WScript.exe	178
PID 1928 wrote to memory of 5584	1928	unsecapp.exe	179
PID 1928 wrote to memory of 5584	1928	unsecapp.exe	179
PID 1928 wrote to memory of 5020	1928	unsecapp.exe	180
PID 1928 wrote to memory of 5020	1928	unsecapp.exe	180
PID 5584 wrote to memory of 5752	5584	WScript.exe	181
PID 5584 wrote to memory of 5752	5584	WScript.exe	181
PID 5752 wrote to memory of 5760	5752	unsecapp.exe	182
PID 5752 wrote to memory of 5760	5752	unsecapp.exe	182
PID 5752 wrote to memory of 5388	5752	unsecapp.exe	183
PID 5752 wrote to memory of 5388	5752	unsecapp.exe	183
PID 5760 wrote to memory of 5676	5760	WScript.exe	184
PID 5760 wrote to memory of 5676	5760	WScript.exe	184
PID 5676 wrote to memory of 3792	5676	unsecapp.exe	185
PID 5676 wrote to memory of 3792	5676	unsecapp.exe	185
PID 5676 wrote to memory of 4976	5676	unsecapp.exe	186
PID 5676 wrote to memory of 4976	5676	unsecapp.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe
"C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G4XGbOexjG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5444
- - C:\Users\Admin\unsecapp.exe
    "C:\Users\Admin\unsecapp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eca3a32d-1450-4c61-8a05-143a2265b501.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6076
    - - C:\Users\Admin\unsecapp.exe
        
        C:\Users\Admin\unsecapp.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55833ac6-78a4-4393-aba7-8401de03d104.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5140
        
        C:\Users\Admin\unsecapp.exe
        
        C:\Users\Admin\unsecapp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e2f9b6-d284-4061-84be-2d2b27b68dbe.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5584
        
        C:\Users\Admin\unsecapp.exe
        
        C:\Users\Admin\unsecapp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3990d82c-07d2-4ddc-b1d6-88bece6282ea.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Users\Admin\unsecapp.exe
        
        C:\Users\Admin\unsecapp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a82a5c-a8f4-42f9-a80a-dee9bb367826.vbs"
        12⤵
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\166d8e13-3086-452e-89b5-33e578168dc9.vbs"
        12⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\167c3fba-7287-4647-9cc4-60d93ffebf55.vbs"
        10⤵
        
        PID:5388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bfd7cd4-3dd0-4ce7-a09c-5a6ecb20b6da.vbs"
        8⤵
        
        PID:5020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec623684-50da-4646-857d-8cd094a9f061.vbs"
        6⤵
        
        PID:5184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c387637d-f5f9-46da-b5a7-972a6b08a60a.vbs"
      4⤵
      PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\3ac54ddf2ad44faa6035cf\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\3ac54ddf2ad44faa6035cf\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\0154351536fc379faee1\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\SppExtComObj.exe

Filesize
1.6MB

MD5
9040f2aa9f429c49a3952fab45f175e2

SHA1
49c53f0eb73f8bbd598311955011deefe7df0288

SHA256
9aa7161ce04ab51f9984946406621097b7698da9bbfb61bc63cf6148a734c1f5

SHA512
f7732ac35dd5a216a7040b1f61fe619a046556b2ef1bcdbca91f1e5d36418454e575baad31abbed6d00d1d2cfeff1268fae06acd54913520fff080b697c89089

Download Submit
C:\0154351536fc379faee1\csrss.exe

Filesize
1.6MB

MD5
739b0754dae7ce3be249c340a9f47a8b

SHA1
e2f70bbd91ecc612ca6d29ad5afdc93023899718

SHA256
b5f1fc8d279199a739485878840a614439fee2efc69298a734f5aa5a92f337b0

SHA512
8d04bf666131350a0cbb56839ee382f0d16004aea1ff1978bc9125dc6cc89cee505919f84c3e8551e9c043c0fed55a1136700c906b4cf993c7d5c530d87680b7

Download Submit
C:\3ac54ddf2ad44faa6035cf\sihost.exe

Filesize
1.6MB

MD5
a03b2e40e61111e237324f7d51c43c9e

SHA1
9c0032769e83242b9ee1661289a01244cdddf2eb

SHA256
426a39e6cb6f46ddd6dc292d415a16f9b06342ba91bad60a8e89e65f83694888

SHA512
8abe376ce968aa27ea70de72b2e3fe1a9deeddc31b9d683fff4df26d43eec3d5c81515e03f15356541a0176f2dce9dccd1b0133b6556594ce0f09056c29980ff

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.6MB

MD5
855deb7775f714f1fc46d29fea8008d7

SHA1
421d56096458fc456190f7c8d13fa3435c051264

SHA256
795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf

SHA512
7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1641de9a10da75d35edf03caa25212c1

SHA1
af73f64f8ce476c8e4eb56bb40426552d34c1ca8

SHA256
5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2

SHA512
7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba8a00bf6995531451ca4ff43fecb0b9

SHA1
b590fcea37aded3a4b083ec2d39252fe10b97a61

SHA256
0211a4649daa040751a5aa8f42a3a677da906daf541fed80c2aa19c5f77e9a60

SHA512
e0cfd06cca6fca6d1b742ecc354c2dd9c0e72ab456525086c2af388cb533ff5baae6ff83fa4347dfbc28edc1a2c1b97ef986c2923af9634fd6d967e913fbfc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c44e48d99762769d16de7352e92db16f

SHA1
29898e4ddba0504899fe0f0a55abacf592689e1b

SHA256
f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8

SHA512
18cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c8fd95453fe0d2e0f6d8e5ac03994b1

SHA1
d9811cf9d2b0d0ce3387fd79462cd592b005a634

SHA256
232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58

SHA512
f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
414d3c7be38a289ed476cbb4ac51ae02

SHA1
da5113d85edeefb5a20093e40bb548356316f3d4

SHA256
d8ce1dc945725e1a003fcad77de1db795d498003228c088506d286c613cd2e31

SHA512
a6db753e6e9515ad845b8073e725b2d0182697c6dd77475291aefd19e7331d78039c00b9d41ee8cccfabe9a2e0e2ab25753ebf9a865c4a3c18d77ee27cbbae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c3cddab7d289f65843ac7ee436ff50d

SHA1
19046a0dc416df364c3be08b72166becf7ed9ca9

SHA256
c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

SHA512
45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3990d82c-07d2-4ddc-b1d6-88bece6282ea.vbs

Filesize
703B

MD5
d9f15668438c15b79b797d9e41feee9e

SHA1
d95d6a054d7b4b3f93169be76a41290ed14cbe90

SHA256
5d05b6633a3c42083a785754d4b72ccf0e30d9ebaa94574e4173cbe63afc2030

SHA512
8894f8cdb38e0a5cfef025a8e24a872c5ad9117136b2f20d56be7d39801d1de3c2956173ca5a40246ee6e8a4603bc5a4e92b4f97afe3e4bd96d7d895a554f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\55833ac6-78a4-4393-aba7-8401de03d104.vbs

Filesize
703B

MD5
e9d2a3aa758e994ef2e214d9a8e2990b

SHA1
d7e10965a618b54ea25c79aae1cefde41de2be51

SHA256
4884e4e7a6944f0756d0d017bedc97da6c816e8c179bb66e7b1844d9e2021036

SHA512
f647132a7a2f015a77b511798ac321c6ea2b991d0d6d2ea3c6ea347d896f22c9dc8bb0336b6b9eb9a1bbaac1c9d6b0e8cec3239565eacec07bd50cf3b64528cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\81a82a5c-a8f4-42f9-a80a-dee9bb367826.vbs

Filesize
703B

MD5
710310103f247b5c5c759e145a6591dc

SHA1
e4a4b626e66505d97d328ced1144cbff9c8d5f17

SHA256
04787cc485477478d4b59868a8d3e0bc45525175512848ee35654cc9efdcada7

SHA512
1e76a8fae50998ac943a8931165b3748c36736930a0d32e4c50216059f55aeb58ddf9876d29c043490523432de105acf4d1a50c19f168ca0f9b59203f1781021

Download Submit
C:\Users\Admin\AppData\Local\Temp\G4XGbOexjG.bat

Filesize
192B

MD5
8106ba855055880b35b0d5137fd59dd1

SHA1
9e632d6dac9cbf57b9c18c9f057358390a489b5b

SHA256
f8c8b68455698123dd82eb5c7d86b08f0ead9be9a888a19dd152ace003bb7fc2

SHA512
982331f05725a02baafea828eb19f1dee98a0b3bfac6c235ac5e19bd0971483df09cb38b185b9b8b1239752cfba22c88c729d025fcc48f91484165fb484250a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljezvcof.xua.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2e2f9b6-d284-4061-84be-2d2b27b68dbe.vbs

Filesize
703B

MD5
656fbb25fbb6175b5ec9013dd110d87e

SHA1
d88c2ca3d2e73be3aa946b3e17294f2624102e6f

SHA256
6975af445961b89323453b6f473118ae2d1cee530d0d22e16362e9b6fa3aa254

SHA512
e635e207195681020916e9a854a89d2117236e7f6ba1f83d2e6b852331e2bd99234884baee0db0e89d26b676312b29380432fc9d92e8fb0b16fa95709ce126de

Download Submit
C:\Users\Admin\AppData\Local\Temp\c387637d-f5f9-46da-b5a7-972a6b08a60a.vbs

Filesize
479B

MD5
508feda3662ef30d21c1da420d9d48da

SHA1
bd180c42390ce54739fb0462a1d30a3fe97d9733

SHA256
1d70e7cd58192509995e981e0053e259ed89b62935df7f835b696b9d6af98c5f

SHA512
c9bab49a648f32b1336a44838776e2122ca864805871cdbbe3d2ac9c3a61a8222543f23f03198917775a6057e205280233d1e1690d0fb37188e8bdb00aaeb7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eca3a32d-1450-4c61-8a05-143a2265b501.vbs

Filesize
703B

MD5
675a19049cc2db942396fc482eb6d400

SHA1
7f1b703c4ffbe3a21cf19de29bc7906a35877505

SHA256
6ec50b845a44af869ba448873d1fd5dcab4e472171b82f7810388451831c3962

SHA512
4efd67fdbf5e37b3cbf4d693478df8506951874133532d9f06fd21c1cf2d04273d9be7ad924ce7adb32a767b77068b8fc8e3d1accb4f6970a2b3025a2addbeac

Download Submit
C:\Users\Admin\unsecapp.exe

Filesize
1.6MB

MD5
e20d677bc741ab3a0c636f09cdefb60b

SHA1
4b877592ea11aa47079398953206cdc6dbb9c25b

SHA256
974e9a8e956d961c80a9b22c1814fce014ff5b891f93f0c7929798819f2e4670

SHA512
63539b23fd6d8fa2ee04640e2a1815d8958db7ade4ac36132df1ceba75060d219cb8b2289dd8cb1d4ca6c09021918f25aa38e2382df31510dbdb877872299366

Download Submit
memory/3476-2-0x00007FFC80300000-0x00007FFC80DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-12-0x0000000002C30000-0x0000000002C3A000-memory.dmp

Filesize
40KB

Download
memory/3476-11-0x0000000002C20000-0x0000000002C2C000-memory.dmp

Filesize
48KB

Download
memory/3476-184-0x00007FFC80303000-0x00007FFC80305000-memory.dmp

Filesize
8KB

Download
memory/3476-266-0x00007FFC80300000-0x00007FFC80DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-6-0x0000000002B80000-0x0000000002B96000-memory.dmp

Filesize
88KB

Download
memory/3476-5-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/3476-4-0x0000000002BD0000-0x0000000002C20000-memory.dmp

Filesize
320KB

Download
memory/3476-3-0x00000000011E0000-0x00000000011FC000-memory.dmp

Filesize
112KB

Download
memory/3476-10-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

Filesize
48KB

Download
memory/3476-0-0x00007FFC80303000-0x00007FFC80305000-memory.dmp

Filesize
8KB

Download
memory/3476-199-0x00007FFC80300000-0x00007FFC80DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-13-0x0000000002C40000-0x0000000002C4E000-memory.dmp

Filesize
56KB

Download
memory/3476-14-0x0000000002C60000-0x0000000002C68000-memory.dmp

Filesize
32KB

Download
memory/3476-15-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

Filesize
32KB

Download
memory/3476-17-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/3476-8-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/3476-7-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/3476-1-0x0000000000890000-0x0000000000A32000-memory.dmp

Filesize
1.6MB

Download
memory/3476-16-0x000000001B7D0000-0x000000001B7DA000-memory.dmp

Filesize
40KB

Download
memory/3476-9-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/3832-210-0x000001E942170000-0x000001E942192000-memory.dmp

Filesize
136KB

Download
memory/5896-367-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download