dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86513494c7861a5a0c9f1c0fb478e36d.exe
Size

2.5MB
MD5

86513494c7861a5a0c9f1c0fb478e36d
SHA1

0e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA256

80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512

e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
SSDEEP

49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4680	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4860	powershell.exe
4904	powershell.exe
1676	powershell.exe
2952	powershell.exe
4044	powershell.exe
224	powershell.exe
1260	powershell.exe
4576	powershell.exe
3116	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	86513494c7861a5a0c9f1c0fb478e36d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 16 IoCs

pid	Process
3768	SearchApp.exe
1480	SearchApp.exe
2396	SearchApp.exe
3476	SearchApp.exe
2024	SearchApp.exe
1412	SearchApp.exe
2088	SearchApp.exe
2788	SearchApp.exe
2772	SearchApp.exe
3812	SearchApp.exe
2620	SearchApp.exe
1460	SearchApp.exe
2576	SearchApp.exe
4724	SearchApp.exe
4220	SearchApp.exe
2160	SearchApp.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\spoolsv.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\0154351536fc379faee1\\SearchApp.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\odbctrac\\taskhostw.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\DeviceSetupStatusProvider\\fontdrvhost.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\taskhostw.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\windows.storage\\RuntimeBroker.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\dwm.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\C_858\\RuntimeBroker.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\DeviceSetupStatusProvider\fontdrvhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\DeviceSetupStatusProvider\5b884080fd4f94	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\windows.storage\9e8d7a4ca61bd9	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\C_858\RCX979E.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\C_858\RuntimeBroker.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\windows.storage\RuntimeBroker.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\odbctrac\RCX8C48.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\DeviceSetupStatusProvider\RCX8E5D.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\windows.storage\RCX92F5.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\windows.storage\RCX9306.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\windows.storage\RuntimeBroker.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\odbctrac\taskhostw.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\DeviceSetupStatusProvider\RCX8E5E.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\DeviceSetupStatusProvider\fontdrvhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\odbctrac\taskhostw.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\odbctrac\ea9f0e6c9e2dcd	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\C_858\RuntimeBroker.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\C_858\9e8d7a4ca61bd9	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\odbctrac\RCX8C59.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\C_858\RCX9720.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\dwm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\dwm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\6cb0b6c459d5d3	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCX950A.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCX950B.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	86513494c7861a5a0c9f1c0fb478e36d.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
1060	schtasks.exe
4360	schtasks.exe
3048	schtasks.exe
5024	schtasks.exe
2788	schtasks.exe
208	schtasks.exe
4832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
3200	86513494c7861a5a0c9f1c0fb478e36d.exe
2952	powershell.exe
2952	powershell.exe
4860	powershell.exe
4860	powershell.exe
224	powershell.exe
224	powershell.exe
3116	powershell.exe
3116	powershell.exe
1260	powershell.exe
1260	powershell.exe
4576	powershell.exe
4576	powershell.exe
3116	powershell.exe
1676	powershell.exe
1676	powershell.exe
4904	powershell.exe
4904	powershell.exe
4044	powershell.exe
4044	powershell.exe
4576	powershell.exe
2952	powershell.exe
1260	powershell.exe
224	powershell.exe
4860	powershell.exe
4044	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	86513494c7861a5a0c9f1c0fb478e36d.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	3768	SearchApp.exe
Token: SeDebugPrivilege	1480	SearchApp.exe
Token: SeDebugPrivilege	2396	SearchApp.exe
Token: SeDebugPrivilege	3476	SearchApp.exe
Token: SeDebugPrivilege	2024	SearchApp.exe
Token: SeDebugPrivilege	1412	SearchApp.exe
Token: SeDebugPrivilege	2088	SearchApp.exe
Token: SeDebugPrivilege	2788	SearchApp.exe
Token: SeDebugPrivilege	2772	SearchApp.exe
Token: SeDebugPrivilege	3812	SearchApp.exe
Token: SeDebugPrivilege	2620	SearchApp.exe
Token: SeDebugPrivilege	1460	SearchApp.exe
Token: SeDebugPrivilege	2576	SearchApp.exe
Token: SeDebugPrivilege	4724	SearchApp.exe
Token: SeDebugPrivilege	4220	SearchApp.exe
Token: SeDebugPrivilege	2160	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4044	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	100
PID 3200 wrote to memory of 4044	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	100
PID 3200 wrote to memory of 2952	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	101
PID 3200 wrote to memory of 2952	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	101
PID 3200 wrote to memory of 3116	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	102
PID 3200 wrote to memory of 3116	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	102
PID 3200 wrote to memory of 4576	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	104
PID 3200 wrote to memory of 4576	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	104
PID 3200 wrote to memory of 1260	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	105
PID 3200 wrote to memory of 1260	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	105
PID 3200 wrote to memory of 1676	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	107
PID 3200 wrote to memory of 1676	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	107
PID 3200 wrote to memory of 4904	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	109
PID 3200 wrote to memory of 4904	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	109
PID 3200 wrote to memory of 224	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	111
PID 3200 wrote to memory of 224	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	111
PID 3200 wrote to memory of 4860	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	112
PID 3200 wrote to memory of 4860	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	112
PID 3200 wrote to memory of 3016	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	118
PID 3200 wrote to memory of 3016	3200	86513494c7861a5a0c9f1c0fb478e36d.exe	118
PID 3016 wrote to memory of 4032	3016	cmd.exe	120
PID 3016 wrote to memory of 4032	3016	cmd.exe	120
PID 3016 wrote to memory of 3768	3016	cmd.exe	122
PID 3016 wrote to memory of 3768	3016	cmd.exe	122
PID 3768 wrote to memory of 5016	3768	SearchApp.exe	124
PID 3768 wrote to memory of 5016	3768	SearchApp.exe	124
PID 3768 wrote to memory of 2988	3768	SearchApp.exe	125
PID 3768 wrote to memory of 2988	3768	SearchApp.exe	125
PID 5016 wrote to memory of 1480	5016	WScript.exe	126
PID 5016 wrote to memory of 1480	5016	WScript.exe	126
PID 1480 wrote to memory of 4952	1480	SearchApp.exe	127
PID 1480 wrote to memory of 4952	1480	SearchApp.exe	127
PID 1480 wrote to memory of 3300	1480	SearchApp.exe	128
PID 1480 wrote to memory of 3300	1480	SearchApp.exe	128
PID 4952 wrote to memory of 2396	4952	WScript.exe	129
PID 4952 wrote to memory of 2396	4952	WScript.exe	129
PID 2396 wrote to memory of 3428	2396	SearchApp.exe	131
PID 2396 wrote to memory of 3428	2396	SearchApp.exe	131
PID 2396 wrote to memory of 2628	2396	SearchApp.exe	132
PID 2396 wrote to memory of 2628	2396	SearchApp.exe	132
PID 3428 wrote to memory of 3476	3428	WScript.exe	136
PID 3428 wrote to memory of 3476	3428	WScript.exe	136
PID 3476 wrote to memory of 516	3476	SearchApp.exe	137
PID 3476 wrote to memory of 516	3476	SearchApp.exe	137
PID 3476 wrote to memory of 3120	3476	SearchApp.exe	138
PID 3476 wrote to memory of 3120	3476	SearchApp.exe	138
PID 516 wrote to memory of 2024	516	WScript.exe	142
PID 516 wrote to memory of 2024	516	WScript.exe	142
PID 2024 wrote to memory of 4860	2024	SearchApp.exe	143
PID 2024 wrote to memory of 4860	2024	SearchApp.exe	143
PID 2024 wrote to memory of 4520	2024	SearchApp.exe	144
PID 2024 wrote to memory of 4520	2024	SearchApp.exe	144
PID 4860 wrote to memory of 1412	4860	WScript.exe	145
PID 4860 wrote to memory of 1412	4860	WScript.exe	145
PID 1412 wrote to memory of 2832	1412	SearchApp.exe	146
PID 1412 wrote to memory of 2832	1412	SearchApp.exe	146
PID 1412 wrote to memory of 208	1412	SearchApp.exe	147
PID 1412 wrote to memory of 208	1412	SearchApp.exe	147
PID 2832 wrote to memory of 2088	2832	WScript.exe	148
PID 2832 wrote to memory of 2088	2832	WScript.exe	148
PID 2088 wrote to memory of 1020	2088	SearchApp.exe	149
PID 2088 wrote to memory of 1020	2088	SearchApp.exe	149
PID 2088 wrote to memory of 716	2088	SearchApp.exe	150
PID 2088 wrote to memory of 716	2088	SearchApp.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe
"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\odbctrac\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceSetupStatusProvider\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Oracle\Java\.oracle_jre_usage\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\windows.storage\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_858\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vWG90fPEzh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4032
- - C:\0154351536fc379faee1\SearchApp.exe
    "C:\0154351536fc379faee1\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260b467b-7d50-4ccc-9878-a0460cabec33.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d5986f9-d72b-41d2-b19b-1dac3800415e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9b790e-4397-4c02-a639-91a9f7f3f6a9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c3d9005-5cdd-4730-9842-b601bf9207be.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58872610-7257-4ffd-8392-42f9f44e6093.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b7a8411-2dab-47dd-af93-8dd2d9b08e88.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab3754dd-9684-4580-a2ec-79e802bbcf80.vbs"
        16⤵
        
        PID:1020
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75c89899-6ac4-4406-93d1-c7a2b623ad95.vbs"
        18⤵
        
        PID:4516
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff8724bf-aba0-4ab3-9155-19d67fdeaedd.vbs"
        20⤵
        
        PID:744
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65faa803-2ed4-4eb3-b03a-821a55efc3b8.vbs"
        22⤵
        
        PID:4664
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abea45f2-1d03-4777-a8c3-909d2f70f14a.vbs"
        24⤵
        
        PID:1052
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cbe5d40-f0f7-46c5-aa5a-3e5065310fbc.vbs"
        26⤵
        
        PID:5016
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e6f2510-03ac-4271-9b2a-56638b988af2.vbs"
        28⤵
        
        PID:3716
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8759e6-fea7-4c8c-9875-26cfdd0c3daa.vbs"
        30⤵
        
        PID:3932
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d059d8d8-0fa5-427e-be90-d99a3ce3b767.vbs"
        32⤵
        
        PID:4704
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc688d64-4f1d-4a53-bb34-46efbe7adf7c.vbs"
        34⤵
        
        PID:4912
        
        C:\0154351536fc379faee1\SearchApp.exe
        
        C:\0154351536fc379faee1\SearchApp.exe
        35⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1551c524-fc19-4408-b7b9-a59c78076c44.vbs"
        34⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61b465a-2b3d-4fa8-a0fd-f62d349c793a.vbs"
        32⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1da0c28-9caa-4406-b4f5-2b4fdc549b73.vbs"
        30⤵
        
        PID:4044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72f4f7c8-aff0-4881-a324-af9172e8d464.vbs"
        28⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eba76b9-fa01-49de-9894-f7d87a541750.vbs"
        26⤵
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c733fd58-85b2-4d85-af18-513a2de081a0.vbs"
        24⤵
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0531a2-9ee5-4fd9-8537-f2aeee9de439.vbs"
        22⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\919e1a3d-6e4f-445d-9eae-df7457cf96bc.vbs"
        20⤵
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30961757-65bd-44fd-b211-c53de8a18a94.vbs"
        18⤵
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fcf6c87-b225-49c3-9a0d-95a4d41c1e37.vbs"
        16⤵
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5914d0ea-76a4-4b71-ac9f-5491c1eee8c7.vbs"
        14⤵
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60736671-bcb4-4679-9db7-0916c3c9e6ba.vbs"
        12⤵
        
        PID:4520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4257a797-ccd9-4750-8de4-e2206b558ab9.vbs"
        10⤵
        
        PID:3120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1b9ad8-ecb4-4194-8c4c-08d88b59a4f5.vbs"
        8⤵
        
        PID:2628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d41faad7-97e4-46d9-be5d-911e26e19997.vbs"
        6⤵
        
        PID:3300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b93fba-aa0e-42ea-91c2-66579b6ae56f.vbs"
      4⤵
      PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\0154351536fc379faee1\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\odbctrac\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\DeviceSetupStatusProvider\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\windows.storage\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\C_858\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\taskhostw.exe

Filesize
2.5MB

MD5
86513494c7861a5a0c9f1c0fb478e36d

SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f

SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a933acb47347f3acfbe61dc611837f1

SHA1
0f971f7257c034fa64d9b6bcea2ea6962c48dfb7

SHA256
98f9484f576da87f1a99c6c495e2cd222e139d6867e8409cadde65ccbdb991dd

SHA512
74094c94c5864fbc99cb293d43ecd147686160c32c323ee0e3577e6d1b28b6a68c921cf3711c73c510eea5b6ce0b24268753dfc38b4f67f9a6a238bb4e8bef83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a39de506d9f3cb0eef9451868bf8f3ff

SHA1
183758ff7964ae923989989be46a822e0d4dc37f

SHA256
d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416

SHA512
041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9e91fa13f902935b683fcbc65dd11c03

SHA1
9412ddf77a7a551178e3d60b5fcd7d71d7301bb4

SHA256
f4a7ba9b96c0fb8d52545e2bed8711131f4be5fa8e01f4db401115be9ffb31bb

SHA512
9a6ca2c7b62b1205cb28523e0775a1947d4af569164484b50e5ef4d94412743fddbff17e8e9a99ebe31eef192a3cb06919061242acfb8263bda7d969a8b9e60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cbe5d40-f0f7-46c5-aa5a-3e5065310fbc.vbs

Filesize
713B

MD5
e718570234b99536c3b63f084fdc05c3

SHA1
d04db8c068870d16edf0ca54b3100c422fe5f1a9

SHA256
9cfb829ed37933a61542ba871bace4318feb2a10caab9446270ae13caccf5fc4

SHA512
f4679521a5a524d64fe72e7dd05210cfbfccb7f57aca99c6a6f67775e423331fcbd2f5e939673da6cbb2f30766f95cedc0205da79758c548b7e942cb37a55cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e6f2510-03ac-4271-9b2a-56638b988af2.vbs

Filesize
713B

MD5
db26ec52379abaf1c4b3be2665fb8ad1

SHA1
cf3d6b01e352efe6c3c0926b62269da3691eebd3

SHA256
a82fc6a58f6278122ab3ec3827c58eb71804dc0d1865c0bceec1a278949c5b3a

SHA512
d282c64fee38621af4535c843c18b5ab2de1be334fe010fed46ae0ebc626cad25622f973d44e6e60b76fc4289ca59049cc3fafcb18e25ad646601a85b2295352

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d5986f9-d72b-41d2-b19b-1dac3800415e.vbs

Filesize
713B

MD5
528fc249b2a5c51cec33954dc9306797

SHA1
050c389ab36ee93422ab752063654f92faf70502

SHA256
1a2178ed4f3df13625ec096a5845673b4f92679b227def5aa74d26d7218fa97d

SHA512
2690cc3876c630e7ffb4d6ce31e205f8885f3743b95fd3486fac26284c08277d02db04ca501f59aed8e4dc0b1a7d92045f72fa69ba5c1854a4cd78e98792b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\260b467b-7d50-4ccc-9878-a0460cabec33.vbs

Filesize
713B

MD5
aeeb611ee9aa18fde1c8a645dd4aa308

SHA1
27d2b7ee3520565f3a64e6f05695f3b3f442ad36

SHA256
87a967bd4b749b0a61d6e890d51539bcf6513f5ac880bdb4a3d8975520ea1fa2

SHA512
a39074584cd57b464ca5568dc0c900aba6ac71135b6d5d86e0d9d1b469564a3d6328860356b545791b943a3debdd843a0fc56efd7230875f570c54ba86aed16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b7a8411-2dab-47dd-af93-8dd2d9b08e88.vbs

Filesize
713B

MD5
6ac72a0b529ed047efb11df3504a63d2

SHA1
8922d5ddeaf7fe9d8c7ebc9f6360a6a2685d81db

SHA256
b72eb93cf3a79cbff1f0afcc76480b3a037e28aacf5c1905a18133b1c6450dee

SHA512
2016a3725aa454ab6a6d51e7890da6c54ddd556801c9fdf95a9adae4d6ef4c21b439535bf03566b6a4d68535cae39e28d20339df75be49e1fd5f17353645cfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d9b790e-4397-4c02-a639-91a9f7f3f6a9.vbs

Filesize
713B

MD5
6ae55bcf63587b55390bef2ea5f98755

SHA1
743cbf78c1fe5cc33b15941f732e80e449d15ff9

SHA256
4ef7165c0b803ab8a77e2b411ce184eaf035ebb5524c73a8aae6ce1e11854970

SHA512
66a191b2e83d4a4de6cffd5146b4730d6b0769f1aa29d3260ce1b5428685cf4ec579fbd944eb5f2469fe60e7393ae7b2e19b991f4c1d156bf7ab099cc18adc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\58872610-7257-4ffd-8392-42f9f44e6093.vbs

Filesize
713B

MD5
8c64fb740f1f68dd41a96ad1f3e89827

SHA1
a0d8be45c83503e325cac2b6dedf009c619144c3

SHA256
76462ae48d6b698d614b725a977f6e143bf5afea201ea7f2ad50a8687d249b8f

SHA512
faeacf5f027df7c3e2e374b3994a2c9ef4ab65630fd482301d1e5eb564669ab9695831d1daae5c571c5cfa20dddeb99f7ba38d909222ddff8a3ea0c62e3998a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\65faa803-2ed4-4eb3-b03a-821a55efc3b8.vbs

Filesize
713B

MD5
7345b0446eef3a27fe978be922fda234

SHA1
5961619f63b48d413eaccafa4019a37b372ce7dd

SHA256
7f23594bf71ec56758913223e8fb3cbb501db2e45da87cae9d1ebfb949b74d71

SHA512
21f525e6d609b5a49bedc1452d702d9c25719868ff985e2c6ac66665a4c3f03db398c1cda4c762a0b08f7f8faae2a55cef1e3123ec293eab4b817919c315416f

Download Submit
C:\Users\Admin\AppData\Local\Temp\75c89899-6ac4-4406-93d1-c7a2b623ad95.vbs

Filesize
713B

MD5
2b022a1b4274dd8c0490fbac7d3f6900

SHA1
ea7090ea7e4b8c8652c3a6691b040f6933a4be67

SHA256
2b402a0c779c394c49ec42519605d6299f454e4eeb0d47541c61b2686779a456

SHA512
ac518c1c6f157674181d5e75ee9770bcd1eb1161ffe23a8c47d282c971a74f90ef6fed1fc0764b6b86948967fc16d96a6691ec1d72b7cb3c3ed800bf356974db

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c3d9005-5cdd-4730-9842-b601bf9207be.vbs

Filesize
713B

MD5
1dab582a380309520ee5f9ba0173ab2b

SHA1
6eee9dea43d9d975b1003c2ed4dc81a3d225a9f2

SHA256
ddd704b26b908e5eb718bf7f23c1488ae81dcd0b008307c20c986ac47f628481

SHA512
0d1f0be8d80acabf73448102f1db57ed379dc094f4e3d9fddce169fcedbcb72f70b6e96dd9d903315825b0b7a7528d0354ee8047f84fd6fc7e4eec17b2487688

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olcht3co.5ve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab3754dd-9684-4580-a2ec-79e802bbcf80.vbs

Filesize
713B

MD5
fa2b3b1ae94673d1a77d74372e25a190

SHA1
8e03ce830018f30f007d84d0aeef7eab4ef9ce81

SHA256
67f2f0cdcf09b34fc8a76c17438f2f0089f15787f7c3bd558aafaa43cf52101d

SHA512
d653d8c93a19ad7ee15696b6ec0974a9bd9e5656cd4da90b9f8cda9c7bb0d26d6cc870638a73c49fc8e843576178107078c8083101af923573355bbaf80515fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\abea45f2-1d03-4777-a8c3-909d2f70f14a.vbs

Filesize
713B

MD5
d86e7e3ce183b68f8a93589db2459e2b

SHA1
83566792dc0ed4560d396016e288f56c36c989e2

SHA256
9c1452035eded42fde3bf21859088832f5ac34a4c87ade739768b9d6c97a0a8b

SHA512
aeacbf66a49eb407dafea5dc80284eced79806c50748c5de65d1c746902e0c8e4c7a7662c181c9a70cd80e79fe19402eabee91189184c59337e2bc9696c4f2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7b93fba-aa0e-42ea-91c2-66579b6ae56f.vbs

Filesize
489B

MD5
d4466e5a61586b970db9e82debe25c04

SHA1
c18b236afe533751df6083b15886ed13426be252

SHA256
ba004a8ea1f6aa9bdc12ed42e2876d45c189da0aa7185c64221c07d9fbc05992

SHA512
344e3a181254578f0a0922db5cc1d5f171636d083081b355125a8b296ab6c0625e2ae776eee9bb660d4481d3fd11b74c9beca7ddac24af3c69c7c43c5cec77d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff8724bf-aba0-4ab3-9155-19d67fdeaedd.vbs

Filesize
713B

MD5
da8bb6028d19e2410c3db78e859d10fb

SHA1
5d9e0e3fab1e6785d4fea65da67d58b5fd76e296

SHA256
61fb99b15c0ff9f57b9b5415e7bebd9c8e4c3202632a539813e56a44c0140e82

SHA512
408de6f70d347ebd32d0d3479e16b341435d4752723283004aa9fc0cb94656e717800fdb7e4bda7536e3c9d6c8fe0c5adbbbc7826d718cff794f2f74ed429358

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWG90fPEzh.bat

Filesize
201B

MD5
36b494276a4fafd66fc577a27732ae30

SHA1
ed6a98ae0acddb10f2cafc6562fe25c24a13b621

SHA256
0285e11812be82a84cdd3a2641523ddfe633eeb9c601069dfec4cacb0ce271e6

SHA512
ff9ff995fdb213fbea9f87f70d45c1411861d8d060f7c22a1e9d2b518fe22fa58cb15cdcd215f8527989b580580d2354058891b7eff4613e607baf23bd612b72

Download Submit
C:\Windows\System32\C_858\RuntimeBroker.exe

Filesize
2.5MB

MD5
076fb7d8c5cd14618f78d0efc1a3d8e1

SHA1
f9fbaa75955c0282f84ac4cca36b0044c68a05c8

SHA256
2e7e5affd89752ba69b2c18a1fe22f6ecb54e05943e7aff7fd3f2c547625caaf

SHA512
cddac2b78bef798d3fe62e071ea03861f9a22797207eed23c065c88e3bf10c9eefb2cff35ad7dda73c6e90b735cd3166f843d1b65f41e8900fff763ef50c39f0

Download Submit
memory/1480-261-0x0000000003020000-0x0000000003032000-memory.dmp

Filesize
72KB

Download
memory/1480-272-0x0000000002F70000-0x0000000002FA5000-memory.dmp

Filesize
212KB

Download
memory/2024-299-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

Filesize
72KB

Download
memory/2088-322-0x000000001B770000-0x000000001B782000-memory.dmp

Filesize
72KB

Download
memory/2396-284-0x000000001AFE0000-0x000000001B015000-memory.dmp

Filesize
212KB

Download
memory/2952-172-0x000001851C830000-0x000001851C852000-memory.dmp

Filesize
136KB

Download
memory/3200-8-0x000000001B970000-0x000000001B9C6000-memory.dmp

Filesize
344KB

Download
memory/3200-4-0x0000000002890000-0x00000000028AC000-memory.dmp

Filesize
112KB

Download
memory/3200-1-0x00000000003E0000-0x0000000000666000-memory.dmp

Filesize
2.5MB

Download
memory/3200-17-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/3200-2-0x00007FFC80160000-0x00007FFC80C21000-memory.dmp

Filesize
10.8MB

Download
memory/3200-18-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/3200-15-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/3200-16-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/3200-14-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/3200-12-0x000000001BA50000-0x000000001BA5A000-memory.dmp

Filesize
40KB

Download
memory/3200-0-0x00007FFC80163000-0x00007FFC80165000-memory.dmp

Filesize
8KB

Download
memory/3200-3-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/3200-13-0x000000001BA60000-0x000000001BA6A000-memory.dmp

Filesize
40KB

Download
memory/3200-5-0x000000001B9C0000-0x000000001BA10000-memory.dmp

Filesize
320KB

Download
memory/3200-7-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/3200-9-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/3200-10-0x000000001BA20000-0x000000001BA32000-memory.dmp

Filesize
72KB

Download
memory/3200-149-0x00007FFC80160000-0x00007FFC80C21000-memory.dmp

Filesize
10.8MB

Download
memory/3200-11-0x000000001C320000-0x000000001C848000-memory.dmp

Filesize
5.2MB

Download
memory/3200-6-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/3476-287-0x000000001B410000-0x000000001B422000-memory.dmp

Filesize
72KB

Download
memory/3476-286-0x000000001B5A0000-0x000000001B5F6000-memory.dmp

Filesize
344KB

Download
memory/3768-247-0x000000001BD80000-0x000000001BD92000-memory.dmp

Filesize
72KB

Download
memory/3768-258-0x0000000003240000-0x0000000003275000-memory.dmp

Filesize
212KB

Download
memory/3768-246-0x000000001BD20000-0x000000001BD76000-memory.dmp

Filesize
344KB

Download
memory/3812-356-0x000000001BD60000-0x000000001BD72000-memory.dmp

Filesize
72KB

Download