Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/03/2024, 14:48

General

  • Target

    1994f3ef2118aeecbb74e6c8976fd47b.exe

  • Size

    3.2MB

  • MD5

    1994f3ef2118aeecbb74e6c8976fd47b

  • SHA1

    8f157fc5c2af51db24b66085f29d3c1240be36b2

  • SHA256

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

  • SHA512

    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

  • SSDEEP

    49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 48 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Checks whether UAC is enabled 1 TTPs 32 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe
    "C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4324
        • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
          "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:836
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d82d5aa-45d5-4807-9916-e03525769b88.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4848
            • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
              "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4296
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12af547c-6d1d-47c9-bb37-707775950d4e.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4800
                • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                  "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2748
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69d89d7a-7d7f-45e6-9c7b-85406d85cfe3.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2424
                    • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                      "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3272
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4855fbf4-6480-4449-ae11-cf91d642e9b3.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5104
                        • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                          "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:400
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d626d0fb-1c2f-4ce0-9714-aa48bb8f43da.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4908
                            • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                              "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:3908
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f901b504-4e76-4400-b8dc-fd02a73cbbce.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:840
                                • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                  "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:2708
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16ed0cc2-d84e-450f-88db-c7c05a06e2b0.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1944
                                    • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                      "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                      17⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:4564
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab1e69f-2f1f-401d-938e-f71bfd6a81cd.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2564
                                        • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                          "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                          19⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:2280
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5af0a6be-4f61-470c-9af3-d9e879f95f18.vbs"
                                            20⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1056
                                            • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                              "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                              21⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:2812
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8c8fd3-70ad-491b-a007-d682790a8883.vbs"
                                                22⤵
                                                  PID:3164
                                                  • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                                    "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                                    23⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4800
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5fdedc-353f-4832-9fd6-594eaec6169c.vbs"
                                                      24⤵
                                                        PID:5116
                                                        • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                                          "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                                          25⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:3720
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16705fd-80b4-4001-9000-eaf5f70a146d.vbs"
                                                            26⤵
                                                              PID:4600
                                                              • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                                                "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                                                27⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:2468
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d85c7a2e-b8f9-44c3-9be9-bb12676c3c7e.vbs"
                                                                  28⤵
                                                                    PID:2700
                                                                    • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                                                      "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                                                      29⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:452
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009483e7-25f6-445b-97f6-d52c08f7eae0.vbs"
                                                                        30⤵
                                                                          PID:1824
                                                                          • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
                                                                            "C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"
                                                                            31⤵
                                                                            • UAC bypass
                                                                            • Executes dropped EXE
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • System policy modification
                                                                            PID:4248
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46d3ffb-f327-42d1-bcab-d066b0c99748.vbs"
                                                                          30⤵
                                                                            PID:2024
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e18fdc-f38a-4263-966e-482f44ab5aae.vbs"
                                                                        28⤵
                                                                          PID:4192
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3511aee2-03e2-402d-8c2d-2d50e9aaad2f.vbs"
                                                                      26⤵
                                                                        PID:3140
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32e7722-975d-443b-9f16-895a030b2aac.vbs"
                                                                    24⤵
                                                                      PID:212
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cfbf42-15d8-4219-b6d8-dde0e5477e4f.vbs"
                                                                  22⤵
                                                                    PID:4024
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511dbcf7-6261-4495-bcae-32f8c7d1e554.vbs"
                                                                20⤵
                                                                  PID:4168
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0521a46e-267a-4466-9198-ae95eea5129a.vbs"
                                                              18⤵
                                                                PID:1900
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d42e74-c59e-456b-bf90-a7abb4e658b9.vbs"
                                                            16⤵
                                                              PID:3512
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0ba46b-331d-4c29-86ab-cba3c3f4220b.vbs"
                                                          14⤵
                                                            PID:2284
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234610d0-3143-4929-b184-fbd4359ef01d.vbs"
                                                        12⤵
                                                          PID:3152
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb50c54-c2bc-488d-81eb-530e537b80fa.vbs"
                                                      10⤵
                                                        PID:4352
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2eda89-6efa-46e9-8ea6-ad91e7f02229.vbs"
                                                    8⤵
                                                      PID:1724
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeef1934-9cbc-4e53-9f6e-47ab16da9127.vbs"
                                                  6⤵
                                                    PID:3976
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acc37e4a-4df7-4402-b741-43e6041569cd.vbs"
                                                4⤵
                                                  PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2764
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1588
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4380
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5068
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1320
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5084
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4068
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3400
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3428
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4248
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:416
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:400
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1496

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  1994f3ef2118aeecbb74e6c8976fd47b

                                                  SHA1

                                                  8f157fc5c2af51db24b66085f29d3c1240be36b2

                                                  SHA256

                                                  5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

                                                  SHA512

                                                  48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

                                                • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

                                                  Filesize

                                                  768KB

                                                  MD5

                                                  028958f59e67b43c84615a52817d8977

                                                  SHA1

                                                  2fd828295bb4dba9f860dc7f3e814c19e9f2a0ac

                                                  SHA256

                                                  f3b7cac5543a7ede99252839adaf7ed67782c2e5fa4230f270d79178dca3e43a

                                                  SHA512

                                                  bda4d5620242f4122477e6e9fec6f53149e8a389e8acb4de81cdb36692c3ac9c6b54015d601e2794ebccd7cfaa11f3e417b567945220af0cefad993a9ba7e6b1

                                                • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

                                                  Filesize

                                                  499KB

                                                  MD5

                                                  86d7e50391e4806fe5609633525e071e

                                                  SHA1

                                                  edd3ceada10bdcde88c56746c8ec435f85e46658

                                                  SHA256

                                                  863057243124f2dcf1a8366886e41226e2b747f9eddbcdd5578f445f41b18aea

                                                  SHA512

                                                  9c54d91fe4df3fa9d6bd71170f2a5620b7f8c678a40cc35598b1334657c481961255822518b3bbd5cf84d2135c0225686991825cbcf19bc2c599a6c04d92ac4c

                                                • C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

                                                  Filesize

                                                  1.1MB

                                                  MD5

                                                  0016eafec1d4cb57bb7c1a1feaf1a8d3

                                                  SHA1

                                                  ee49434cab7bcb04a084386d07b2637201a14193

                                                  SHA256

                                                  eac7503539af33b83e0bce8a54d10c2f46d3e2bc190aad4d5914b26f3bc1c392

                                                  SHA512

                                                  621930cbd2bf8c218717e699a34bc81179d2a4a0f3c6731fa65a8f747cd910d296746046570bc583cc991162e17a76a3eb58485c962139d73dbed108f4572a51

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  caa9da90d9bfc2c0fbadbf7eb57d1aae

                                                  SHA1

                                                  b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7

                                                  SHA256

                                                  b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd

                                                  SHA512

                                                  da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

                                                • C:\Users\Admin\AppData\Local\Temp\009483e7-25f6-445b-97f6-d52c08f7eae0.vbs

                                                  Filesize

                                                  732B

                                                  MD5

                                                  8ad4abd699e6a798f3b29220f25ca555

                                                  SHA1

                                                  fb5fadea7b6c353e5f9436cb3e51482cc6993ebb

                                                  SHA256

                                                  d993ee5e38de9b2a8d31008ee67ccdf3e331da8e166a1513e37034ed56d48fe5

                                                  SHA512

                                                  9a219fb5afa8ba7f999603f03130a66a0c22e93c97745fe41f4f1453644c5da5febf2514a3280e4857f8eeedb3e524da0eb2c7e18f68c8805daee041370bcc07

                                                • C:\Users\Admin\AppData\Local\Temp\12af547c-6d1d-47c9-bb37-707775950d4e.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  6958c61f6851698e8099cd0d3550e3de

                                                  SHA1

                                                  0ca86563a21078dc365aabda909b8cb3a19f5f52

                                                  SHA256

                                                  bc352647a4880304bcef4cbb562916b09852abcffea1aeb34e9b83b6d5f4fcc1

                                                  SHA512

                                                  02089be90e6b8c2fc199fa31fae3ef5d16c2b5a483ec4a519977cf3519642e74d0102f347975cbdc753417cfc7040fdacf3ce7606f8f31f3acc9df42c4e4c54f

                                                • C:\Users\Admin\AppData\Local\Temp\16ed0cc2-d84e-450f-88db-c7c05a06e2b0.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  68b89f0c229262f5b9b89844bd825ec3

                                                  SHA1

                                                  8147826601e70814e96e66a25c5cd238e9e26c4e

                                                  SHA256

                                                  f0cda4907e54d66f078573cf7e881c2b83bd5fedf4165e9601baaff2c3b97b1c

                                                  SHA512

                                                  86f5e100ae5c66e027eefccef754addd0c875a01f59d48d1eaa79adaca00d726907bf554d08654a63966256ca0ca743e1f99b719d67230b1aede59f389306848

                                                • C:\Users\Admin\AppData\Local\Temp\4855fbf4-6480-4449-ae11-cf91d642e9b3.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  3de88506bb7cec272ec7d6ce6e3343ad

                                                  SHA1

                                                  0461b3ce904089f0e61d0fd483d97a6f92def10b

                                                  SHA256

                                                  e7f0f0028d222ec2f3b1950904780104794d48d9527a721f07aab350929481dc

                                                  SHA512

                                                  7a19d1a6255db9f82082db10ed152477a82b22fc217c0eeb29f389f47a81fb3d6b714e0042562db9e018acba39b4cdfb1e3ba708923a47f239bb22d022e7bef3

                                                • C:\Users\Admin\AppData\Local\Temp\5af0a6be-4f61-470c-9af3-d9e879f95f18.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  032300f58a786600b434da92591dcf31

                                                  SHA1

                                                  a309714b9f17898e7e7d64f0b9f4b1a3803b98c8

                                                  SHA256

                                                  1cd332109c45eb557f6a9c1fef1339b29848a8b960eeb4f60d0cfbccf5639682

                                                  SHA512

                                                  fd603835b2a0175456f9ae1b1053e3cb04befad12434c473c424c10555c9c09f5ba43bf2ce3c83e4fe1d7bc9b13c7b1043ae9a8a4a6933dec0df98b0884fde92

                                                • C:\Users\Admin\AppData\Local\Temp\69d89d7a-7d7f-45e6-9c7b-85406d85cfe3.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  e14f9f0df9bc185250e91f59453d7817

                                                  SHA1

                                                  bee851bc19586acad00caa30082f28d1db1a4e1a

                                                  SHA256

                                                  69914e2cd0c232c2e0da6ea10796164dd8bd45833864dd26319cd196d5e7bdc8

                                                  SHA512

                                                  66c9b82c0842008bb30c42a49f0e87886e2a60ff7bdf8577b2e54fc8c14ae2630533810331779a32036d4ffe20b766a981f9eb070a5091250cf27af606ef3771

                                                • C:\Users\Admin\AppData\Local\Temp\6ab1e69f-2f1f-401d-938e-f71bfd6a81cd.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  e066873c029dcc396bda6878d4c89b13

                                                  SHA1

                                                  73b33123530ff05397590b7b9f78e1a834f6c4dc

                                                  SHA256

                                                  bd955b17bb71ebabfd0a103d99c02aed6f0c67c0b9fb27bb66266ca888635ce3

                                                  SHA512

                                                  583d60cae6177a3bbb26b4feec194eec30d066c5818fa9be697231a37a3065671f160b29f7b3d5d0641dededf521df0ef89826fe4c8b236eb86580ed3b8cc868

                                                • C:\Users\Admin\AppData\Local\Temp\7d5fdedc-353f-4832-9fd6-594eaec6169c.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  57dcdc9d61d7b636af4c1f8967726b22

                                                  SHA1

                                                  eecf3265b448ec7a8cfcb68f45bc96e7f367f7b9

                                                  SHA256

                                                  e9850007590b93e6a726e4bf015deaf7de2596c37ad9710bf8c6f290f9886262

                                                  SHA512

                                                  1e95a4f8b6d64fbc3655e0d4bfb22eeec7d86dc330050bc6f2985b3d8e7e4a86cd4a859dcb4e8e8a93adba48d66c4e4f973d0653e3f54ca744c11576d1c128ef

                                                • C:\Users\Admin\AppData\Local\Temp\8d82d5aa-45d5-4807-9916-e03525769b88.vbs

                                                  Filesize

                                                  732B

                                                  MD5

                                                  5e4850cb05206a2df1723d896baa8833

                                                  SHA1

                                                  f95848994124d4a12cd717eba12c36d998cd1595

                                                  SHA256

                                                  41ec6997ca8b2b749ed0c49294351f77570dd96c7327e5aeb1581a4fb26a0937

                                                  SHA512

                                                  cf028b6f186112a74b84bbe63c65bdef6f304a6be43794723a0fe9bcde186ed0a4a198e852a12b7c8397133d9394ebeecd69d79f9ec9283053ddadd807f1ed42

                                                • C:\Users\Admin\AppData\Local\Temp\99d342b3bebe85959c38e2102e6dd3992fc9b899.exe

                                                  Filesize

                                                  1.3MB

                                                  MD5

                                                  5ebd26f7b539d06ee26e4335bdad1bac

                                                  SHA1

                                                  f8013bd49ea6c345395c56f4c373e39fe5b1d2eb

                                                  SHA256

                                                  7314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b

                                                  SHA512

                                                  c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73

                                                • C:\Users\Admin\AppData\Local\Temp\acc37e4a-4df7-4402-b741-43e6041569cd.vbs

                                                  Filesize

                                                  509B

                                                  MD5

                                                  bd2810464d4f16be36c4b29dbccbf59d

                                                  SHA1

                                                  91f8241bf8b21e959b23c5deac9fffa35a5c38a0

                                                  SHA256

                                                  d392ee756d3d81c0419cebff8302f7dec199efe7f179976755852193bea1e232

                                                  SHA512

                                                  9f135dc93d9d54451ba965773beb2c2c075cbbf45341d1604a6e3ef1aaa3f9b056df78d091c6d2ad8237284d8685e073e1a95462670cff9b1519a7bd3df3f955

                                                • C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat

                                                  Filesize

                                                  222B

                                                  MD5

                                                  802e033163d69821a99513883b5658b0

                                                  SHA1

                                                  e5e824f6ceabcb0fcf6e7fdf4d5832e8a1248c85

                                                  SHA256

                                                  55c0b7b1df58cdb684173782052cf3b87f4493626ef576b43995727ccd91b5f3

                                                  SHA512

                                                  b290bf94712c1f0e980cded735dc3e24e6bdd7612d0bac0b3097a21f462f82ab0af83cd371567ccf33455408d3ba1946e5d4077489ce6ad60a39eeec8a69d846

                                                • C:\Users\Admin\AppData\Local\Temp\d16705fd-80b4-4001-9000-eaf5f70a146d.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  f58676873042c719ebaf8b09a8ed9bc5

                                                  SHA1

                                                  16d338bf9877a5a50cea1ab6f2be274d436e64eb

                                                  SHA256

                                                  b935a5adc967d708ee1206fb2b5e2a06f1e1adf89ee588bc04205c9ddb6f279a

                                                  SHA512

                                                  7aa7e17686d7dd027a0090e88e6c6bf271752ffac049aec46bd9b77cbb1de78f5b128aab60e7e3b2da379ee07cecf51e8461d0f2266e17e356a45991d742e241

                                                • C:\Users\Admin\AppData\Local\Temp\d626d0fb-1c2f-4ce0-9714-aa48bb8f43da.vbs

                                                  Filesize

                                                  732B

                                                  MD5

                                                  6d012f2e58754e56d6e11ffd6625dee6

                                                  SHA1

                                                  22f43c246fde423f5aed8017348bfd453a0db060

                                                  SHA256

                                                  6c25775d402472f1029994dc1bd787d1553c379e04b6c5481b9fce3dc87d2c6d

                                                  SHA512

                                                  c7698ed47485b422042db109d7dbcecf123dab0734ce082185378d0c0b2dd9b0d194d0af4d3d3fb7ed2b9eb82afe9cbb4747328d9c6a99aaf2dec416d19a0d86

                                                • C:\Users\Admin\AppData\Local\Temp\d85c7a2e-b8f9-44c3-9be9-bb12676c3c7e.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  7a2b247056bedb213065666fc44b2bc4

                                                  SHA1

                                                  43f6bd5f51fb09b0e1b7141c82cd9a751c31378a

                                                  SHA256

                                                  3391a068ee113ffd25899758604b4ffe9ada35c80732984a31176085c3b86664

                                                  SHA512

                                                  68fbacfda257908caa98d4c20517d6f7aed5fdd40778fc70807be6521f72d1be3cc740cb887806131c7ce1f21ff0f54d340a8ecab25e340eaaa0a92a35eb1ca1

                                                • C:\Users\Admin\AppData\Local\Temp\dd8c8fd3-70ad-491b-a007-d682790a8883.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  7bb9115e32e0d7e73740edae13322668

                                                  SHA1

                                                  cb6a86aa37b59184832a853bf7e88535bd2f3dfc

                                                  SHA256

                                                  d8a5b6dfda1e73a663ea4d68d015c636338533b4a8c55098933c24118b92224c

                                                  SHA512

                                                  903a97f22fbcdc2d231105199c521d005fc2ab84e33a26bb56ead8b5966f63741f3ef3f8a516d1ea4aa018f900c5b7243256984435f3def4404904916da9a8d3

                                                • C:\Users\Admin\AppData\Local\Temp\f901b504-4e76-4400-b8dc-fd02a73cbbce.vbs

                                                  Filesize

                                                  733B

                                                  MD5

                                                  82cace29aa6ac72793ea438659b0549a

                                                  SHA1

                                                  430b58d7e7a547af99ac4c719d2a0e08817a44fe

                                                  SHA256

                                                  1ca4adac2d55d14fb84777d9b7cf64827263b5dedd0be41b5a64a606ca9fdf1a

                                                  SHA512

                                                  e517d625a07a63147f7fa107e5144bed9c0b16be09c8a520757db9940373b08285ca51dd8f3e10d29707fce635375d9c92501377687fb01a0f810d3f93fe4ca6

                                                • memory/400-131-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/400-132-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/400-133-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/400-144-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/836-74-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/836-75-0x000000001B980000-0x000000001B990000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/836-86-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/2280-189-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/2708-172-0x00007FFC13180000-0x00007FFC13C41000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/2708-161-0x000000001BB30000-0x000000001BB40000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2708-160-0x00007FFC13180000-0x00007FFC13C41000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/2748-115-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/2748-104-0x000000001B060000-0x000000001B070000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2748-103-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3272-118-0x000000001B290000-0x000000001B2A0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3272-117-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3272-129-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3720-2-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3720-33-0x000000001C390000-0x000000001C398000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-26-0x000000001C120000-0x000000001C12C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-23-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-22-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-27-0x000000001C230000-0x000000001C238000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-21-0x000000001C640000-0x000000001CB68000-memory.dmp

                                                  Filesize

                                                  5.2MB

                                                • memory/3720-1-0x00007FFC13BA0000-0x00007FFC14661000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3720-7-0x0000000002E80000-0x0000000002E90000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3720-20-0x000000001B990000-0x000000001B9A2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3720-70-0x00007FFC13BA0000-0x00007FFC14661000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3720-35-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-34-0x000000001C3A0000-0x000000001C3AA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/3720-19-0x0000000003060000-0x0000000003068000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-17-0x0000000003040000-0x0000000003048000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-24-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-28-0x000000001C240000-0x000000001C24A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/3720-18-0x0000000003050000-0x000000000305C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-0-0x0000000000910000-0x0000000000C40000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/3720-25-0x000000001C110000-0x000000001C11C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-8-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/3720-15-0x000000001B940000-0x000000001B996000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/3720-14-0x0000000003020000-0x000000000302A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/3720-13-0x0000000003000000-0x0000000003010000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3720-29-0x000000001C250000-0x000000001C25E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/3720-16-0x0000000003030000-0x000000000303C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-12-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-6-0x0000000002E70000-0x0000000002E78000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-32-0x000000001C380000-0x000000001C38C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-31-0x000000001C370000-0x000000001C37E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/3720-11-0x0000000003010000-0x000000000301C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3720-30-0x000000001C360000-0x000000001C368000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-3-0x0000000002E40000-0x0000000002E4E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/3720-4-0x0000000002E50000-0x0000000002E5E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/3720-5-0x0000000002E60000-0x0000000002E68000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3720-10-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3720-9-0x0000000002E90000-0x0000000002E98000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3908-158-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3908-146-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3908-147-0x000000001BE00000-0x000000001BE10000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/4296-101-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4296-90-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/4296-89-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4564-187-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4564-176-0x0000000001B40000-0x0000000001B52000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4564-175-0x0000000001820000-0x0000000001830000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/4564-174-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

                                                  Filesize

                                                  10.8MB