dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
59s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Size

1.6MB
MD5

522b3cc9b8e0565c5a2eb2d40b7a9513
SHA1

86d71ba007afecc0f28e9815086992099a13f2c4
SHA256

86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
SHA512

a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6136	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5960	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	5192	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	5192	schtasks.exe	86

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/1592-1-0x0000000000DD0000-0x0000000000F72000-memory.dmp	dcrat
behavioral26/files/0x00090000000242d8-29.dat	dcrat
behavioral26/files/0x000a000000016918-61.dat	dcrat
behavioral26/files/0x0008000000024302-74.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5940	powershell.exe
5232	powershell.exe
5884	powershell.exe
6140	powershell.exe
3968	powershell.exe
2160	powershell.exe
5572	powershell.exe
3732	powershell.exe
5860	powershell.exe
5752	powershell.exe
5896	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

Executes dropped EXE 6 IoCs

pid	Process
5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
3212	dllhost.exe
2732	dllhost.exe
5092	dllhost.exe
2460	dllhost.exe
1232	dllhost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File created	C:\Program Files\edge_BITS_4752_1692656379\29c1c3cc0f7685	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tracing\RCX670F.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Windows\tracing\RCX678D.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Windows\tracing\sihost.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File created	C:\Windows\tracing\sihost.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File created	C:\Windows\tracing\66fc9ff0ee96c2	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3972	schtasks.exe
4544	schtasks.exe
6136	schtasks.exe
2400	schtasks.exe
4160	schtasks.exe
3820	schtasks.exe
2396	schtasks.exe
3928	schtasks.exe
4044	schtasks.exe
5904	schtasks.exe
4548	schtasks.exe
4620	schtasks.exe
4640	schtasks.exe
4656	schtasks.exe
4252	schtasks.exe
624	schtasks.exe
4524	schtasks.exe
4824	schtasks.exe
4836	schtasks.exe
5960	schtasks.exe
4320	schtasks.exe
3524	schtasks.exe
4580	schtasks.exe
1172	schtasks.exe
3540	schtasks.exe
2352	schtasks.exe
5288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
5884	powershell.exe
5884	powershell.exe
5940	powershell.exe
5940	powershell.exe
5860	powershell.exe
5860	powershell.exe
6140	powershell.exe
6140	powershell.exe
5860	powershell.exe
5232	powershell.exe
5232	powershell.exe
5884	powershell.exe
5232	powershell.exe
6140	powershell.exe
5940	powershell.exe
5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
5752	powershell.exe
5752	powershell.exe
2160	powershell.exe
2160	powershell.exe
3968	powershell.exe
3968	powershell.exe
5896	powershell.exe
5896	powershell.exe
5572	powershell.exe
5572	powershell.exe
5752	powershell.exe
3732	powershell.exe
3732	powershell.exe
2160	powershell.exe
5572	powershell.exe
3968	powershell.exe
5896	powershell.exe
3732	powershell.exe
3212	dllhost.exe
2732	dllhost.exe
5092	dllhost.exe
2460	dllhost.exe
1232	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Token: SeDebugPrivilege	5752	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3212	dllhost.exe
Token: SeDebugPrivilege	2732	dllhost.exe
Token: SeDebugPrivilege	5092	dllhost.exe
Token: SeDebugPrivilege	2460	dllhost.exe
Token: SeDebugPrivilege	1232	dllhost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 5940	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	102
PID 1592 wrote to memory of 5940	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	102
PID 1592 wrote to memory of 5232	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	103
PID 1592 wrote to memory of 5232	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	103
PID 1592 wrote to memory of 6140	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	104
PID 1592 wrote to memory of 6140	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	104
PID 1592 wrote to memory of 5860	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	105
PID 1592 wrote to memory of 5860	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	105
PID 1592 wrote to memory of 5884	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	106
PID 1592 wrote to memory of 5884	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	106
PID 1592 wrote to memory of 5996	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	112
PID 1592 wrote to memory of 5996	1592	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	112
PID 5996 wrote to memory of 3968	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	129
PID 5996 wrote to memory of 3968	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	129
PID 5996 wrote to memory of 2160	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	130
PID 5996 wrote to memory of 2160	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	130
PID 5996 wrote to memory of 5752	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	131
PID 5996 wrote to memory of 5752	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	131
PID 5996 wrote to memory of 5896	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	132
PID 5996 wrote to memory of 5896	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	132
PID 5996 wrote to memory of 5572	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	133
PID 5996 wrote to memory of 5572	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	133
PID 5996 wrote to memory of 3732	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	134
PID 5996 wrote to memory of 3732	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	134
PID 5996 wrote to memory of 4536	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	141
PID 5996 wrote to memory of 4536	5996	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	141
PID 4536 wrote to memory of 4784	4536	cmd.exe	143
PID 4536 wrote to memory of 4784	4536	cmd.exe	143
PID 4536 wrote to memory of 3212	4536	cmd.exe	146
PID 4536 wrote to memory of 3212	4536	cmd.exe	146
PID 3212 wrote to memory of 2512	3212	dllhost.exe	147
PID 3212 wrote to memory of 2512	3212	dllhost.exe	147
PID 3212 wrote to memory of 2944	3212	dllhost.exe	148
PID 3212 wrote to memory of 2944	3212	dllhost.exe	148
PID 2512 wrote to memory of 2732	2512	WScript.exe	149
PID 2512 wrote to memory of 2732	2512	WScript.exe	149
PID 2732 wrote to memory of 4956	2732	dllhost.exe	150
PID 2732 wrote to memory of 4956	2732	dllhost.exe	150
PID 2732 wrote to memory of 5696	2732	dllhost.exe	151
PID 2732 wrote to memory of 5696	2732	dllhost.exe	151
PID 4956 wrote to memory of 5092	4956	WScript.exe	153
PID 4956 wrote to memory of 5092	4956	WScript.exe	153
PID 5092 wrote to memory of 2288	5092	dllhost.exe	156
PID 5092 wrote to memory of 2288	5092	dllhost.exe	156
PID 5092 wrote to memory of 4852	5092	dllhost.exe	157
PID 5092 wrote to memory of 4852	5092	dllhost.exe	157
PID 2288 wrote to memory of 2460	2288	WScript.exe	164
PID 2288 wrote to memory of 2460	2288	WScript.exe	164
PID 2460 wrote to memory of 5552	2460	dllhost.exe	165
PID 2460 wrote to memory of 5552	2460	dllhost.exe	165
PID 2460 wrote to memory of 3332	2460	dllhost.exe	166
PID 2460 wrote to memory of 3332	2460	dllhost.exe	166
PID 5552 wrote to memory of 1232	5552	WScript.exe	167
PID 5552 wrote to memory of 1232	5552	WScript.exe	167
PID 1232 wrote to memory of 5680	1232	dllhost.exe	168
PID 1232 wrote to memory of 5680	1232	dllhost.exe	168
PID 1232 wrote to memory of 4676	1232	dllhost.exe	169
PID 1232 wrote to memory of 4676	1232	dllhost.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
"C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
  "C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4784
  - - C:\aff403968f1bfcc42131676322798b50\dllhost.exe
      "C:\aff403968f1bfcc42131676322798b50\dllhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca74d457-98fb-42d8-8df2-f373d1b305b7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eebc816-257b-4980-b683-3921b8d83f51.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e0216f0-4b11-438e-ac0b-c6063fd1f3d6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9306907a-a57f-460e-8241-88d06a5ce661.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5552
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        
        C:\aff403968f1bfcc42131676322798b50\dllhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d84f1e7-837d-46e8-8c7a-50a96954bde9.vbs"
        13⤵
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee39791-66dc-4dd2-b47e-ad74f68818cf.vbs"
        13⤵
        
        PID:4676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cf850b8-ed9c-462d-8d64-58ab32a61fd4.vbs"
        11⤵
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d9153bf-d673-4cc4-a828-c49b66b15c4d.vbs"
        9⤵
        
        PID:4852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33100aa0-b4a9-4824-ad7b-e7f9b2645b93.vbs"
        7⤵
        
        PID:5696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e38cd7cf-ad4b-4f7a-a4f6-ceecc1fba09e.vbs"
        5⤵
        
        PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\tracing\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4752_1692656379\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
842369b08704bbddf9de4d90016e58dd

SHA1
8bc3da656c08abbc14c58201e65b0dc823964bea

SHA256
cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808

SHA512
8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e452a0569a88103800ef1fdb9d028088

SHA1
b73c91d1a9b444033dd5824543c4b9e9538e379f

SHA256
c0f2157095cd92cebe6ea87b14b366ff5ff71ef681785ac8363b1ca59b0ca242

SHA512
5141bd6ceaaefae93e4663b8235ecb1ff87017c2ed1c5a1cfa249bb5d9b646d6d0493e1f85aebe4ae9bddfd2ff7210ada1217bb32d52a1ac582a2f6d636e08a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d84f1e7-837d-46e8-8c7a-50a96954bde9.vbs

Filesize
723B

MD5
b61f3df66f3b6fd19afb36ecc700e637

SHA1
1ac3c14eb125d479f9c2225afe6a84a93219df9f

SHA256
6697b1d5ee27f8962555390ccfd6f753adda87bf0123f991994cb0da41799772

SHA512
e6567b7ab4dad9b8bbc7ecb69b3dfc3d3ef42ea08a9e69452e9fdf55dae9ef6c19b790306be833fd1e40313e2c6e8d59bc37123b5894a5735eda46d955469784

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eebc816-257b-4980-b683-3921b8d83f51.vbs

Filesize
723B

MD5
7dd49a6b1fc0987d7cb7f47aacae650c

SHA1
b605ac0b09667eae222b8c1439e82bf11a15811c

SHA256
227c6eac7e3ca7b07c90d793cfb850326bc3d332c1b5121ad68b2c83b9c3ece5

SHA512
7701ae6a4afa72cc368adb9cd0dbbc5de9e41c09e31779386b3385332827be6409153e9701578a83425b91263ddc1600eadb17637c4e41da568cfe14fbf45e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e0216f0-4b11-438e-ac0b-c6063fd1f3d6.vbs

Filesize
723B

MD5
b6debcdc153e3d2cb38631c0b39f3335

SHA1
40e6f30357365437587768b625394c995ac37c9d

SHA256
478e89e3dbd2a4c3a6ca9d4d5180f24e63c2e678017e231f468e353db48f41db

SHA512
ce0965418c2948167642bf384c57960601c6fe99b7956034ffb34445550ce937e6d61a11639c8ab93ebbf233c6d92e020d39444a095c59107f3aa495de1b6d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\9306907a-a57f-460e-8241-88d06a5ce661.vbs

Filesize
723B

MD5
92876ffd437033ae52fb5fedfa946f6e

SHA1
e75749d7a47a2da39b05bb06238e0fa7bb88dbb8

SHA256
925af71b601796301ab486b06b9b32d2a86cc37c0e2f3a3d7b3d9ccddcb029ba

SHA512
3a7bc53f8d4ccc7697ba492b2294e6a40b3db25959125d4619bdf6321b8527247af4271e46ed3e0ba7d194f2a5b138bf91dfac64b015c7ec6f29e216c5042679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX5E6D.tmp

Filesize
1.6MB

MD5
522b3cc9b8e0565c5a2eb2d40b7a9513

SHA1
86d71ba007afecc0f28e9815086992099a13f2c4

SHA256
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12

SHA512
a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stamzywq.aml.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat

Filesize
212B

MD5
e631894237c8af622e099ee4c5d86fcb

SHA1
171b3c05270544e659d07504b5fb962005d3cd59

SHA256
8ac12056f5a3dd7f5c908cf0ddfe4a8a3e7c74eb835c25bd6033a28a53b18886

SHA512
007f17ee3f46e802b7e5433a222673e9e069511d7263c3e5e85f8014e373e2b733d7988308d2c02a72e2cc2827e2d5d269ffea90691020d3df6e2f964b10863b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca74d457-98fb-42d8-8df2-f373d1b305b7.vbs

Filesize
723B

MD5
ccad1265a13c52dbd03e6def0a3da9e0

SHA1
867028f4e1cc19fbf43dc608f2cdba30b4400f63

SHA256
db57b77f26b28d03211eec5a0feb9ade2a20011a4dcdbd1e58490ffa9012753a

SHA512
1debfa4b37d609e6c33802d365396261d9f9d1762fd4bbbd9aa822c3b3dc0bcaf64b84f8358f3eeac78e293b98a8658a3f24ef3137ef5f4ba00b4effcf118688

Download Submit
C:\Users\Admin\AppData\Local\Temp\e38cd7cf-ad4b-4f7a-a4f6-ceecc1fba09e.vbs

Filesize
499B

MD5
8efa62d1e50fd79c7526acda39a7577f

SHA1
6ac1f68b8d007121fcfd6659c0c69d30d3bcd638

SHA256
3f614f84748cb6def99f86f4721124aedda6a25e7201f0831735d3232b023a28

SHA512
35c10ffcc0aaa8917f60e08a0c68c92e1c8884fd4999f72ce8e399eb813d17e567b8f497acce36fcca5e6904a7ee8ea93c0f0519cb37dc2b7111a835664f1a08

Download Submit
C:\Windows\tracing\sihost.exe

Filesize
1.6MB

MD5
b08775b34b05e7816255442772017e65

SHA1
0f64d3110f5d90b594f3cca841b0840aa7b2632d

SHA256
afc65f70a7ce9ac0010fd54971db852bc22cf4f96f46a9dba2d3b3fe2e4b99dd

SHA512
0611c1abebf8b3e399a0a461535aa739d4684b0e32baab9d590e70e9d3291ded668cbb98ba69e368ae42a05c7fbbfb05f4e7a12860de8a5e26dd4aedff0ce8fc

Download Submit
C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe

Filesize
1.6MB

MD5
f9393be561b1947d9fecc15c771121f7

SHA1
7aabb316b73c46c3e110fce624bb77a1cc462c27

SHA256
6ee01d31d1eab270896303f3fe44a91f9e7db4a5e3e63f7b7aa777244958236b

SHA512
c6afb3aec32de8f4c4dcd351f4e002dc267185a0af9a9eb0fb2cf54291226731c93cfa17643a2f7a647a14508ffa90027a148e4273794d99ad452c8266c404d5

Download Submit
memory/1592-11-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

Filesize
48KB

Download
memory/1592-0-0x00007FFA52D83000-0x00007FFA52D85000-memory.dmp

Filesize
8KB

Download
memory/1592-127-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/1592-16-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/1592-17-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/1592-12-0x000000001BBC0000-0x000000001BBCA000-memory.dmp

Filesize
40KB

Download
memory/1592-13-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/1592-14-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/1592-1-0x0000000000DD0000-0x0000000000F72000-memory.dmp

Filesize
1.6MB

Download
memory/1592-15-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/1592-7-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/1592-10-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/1592-9-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/1592-8-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/1592-6-0x00000000030B0000-0x00000000030C6000-memory.dmp

Filesize
88KB

Download
memory/1592-5-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/1592-4-0x00000000030F0000-0x0000000003140000-memory.dmp

Filesize
320KB

Download
memory/1592-3-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/1592-2-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/5860-78-0x0000018F32480000-0x0000018F324A2000-memory.dmp

Filesize
136KB

Download