Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 10:13

General

  • Target

    SandeLLoCHECKER_Installer (2).exe

  • Size

    1.5MB

  • MD5

    4c52459e292810c1197ed6f2e6486375

  • SHA1

    12f8ef89e298d758b61b8104aca610ddce9b5b4e

  • SHA256

    513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc

  • SHA512

    47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7

  • SSDEEP

    24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 44 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 64 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe
    "C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\chainproviderBrowsersvc\surrogateweb.exe
          "C:\chainproviderBrowsersvc\surrogateweb.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\chainproviderBrowsersvc\surrogateweb.exe
            "C:\chainproviderBrowsersvc\surrogateweb.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p7fNVDzLAP.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4804
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4832
                • C:\chainproviderBrowsersvc\surrogateweb.exe
                  "C:\chainproviderBrowsersvc\surrogateweb.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4828
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MihSKbgfkU.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5096
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1676
                      • C:\chainproviderBrowsersvc\surrogateweb.exe
                        "C:\chainproviderBrowsersvc\surrogateweb.exe"
                        9⤵
                        • Modifies WinLogon for persistence
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Drops file in Program Files directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4368
                        • C:\chainproviderBrowsersvc\surrogateweb.exe
                          "C:\chainproviderBrowsersvc\surrogateweb.exe"
                          10⤵
                          • Modifies WinLogon for persistence
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2732
                          • C:\chainproviderBrowsersvc\taskhostw.exe
                            "C:\chainproviderBrowsersvc\taskhostw.exe"
                            11⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:3432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Downloads\cmd.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:3180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1156
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:1556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:3512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:1696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:3620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:4508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogateweb" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:2556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:3104
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1156
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:3424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:4044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:3068
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • DcRat
        PID:380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:2712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
        1⤵
          PID:4528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          PID:3520
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
          1⤵
            PID:2092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
            1⤵
              PID:4244
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
              1⤵
                PID:2688
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                  PID:1272
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                    PID:1584
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                    1⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:868
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    PID:1460
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    PID:3628
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f
                    1⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:440
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Scheduled Task/Job: Scheduled Task
                    PID:2148
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3144
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                    1⤵
                    • DcRat
                    • Scheduled Task/Job: Scheduled Task
                    PID:220
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                    1⤵
                      PID:324
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Scheduled Task/Job: Scheduled Task
                      PID:5016
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /f
                      1⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4128
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                      1⤵
                        PID:4124
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:2480
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
                        1⤵
                        • DcRat
                        PID:3596
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        PID:5056
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Scheduled Task/Job: Scheduled Task
                        PID:3824
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /f
                        1⤵
                          PID:4356
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Scheduled Task/Job: Scheduled Task
                          PID:3480
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          PID:4972
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                          1⤵
                            PID:4832
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            PID:5012
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                            1⤵
                              PID:1592
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /f
                              1⤵
                                PID:3180
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • DcRat
                                • Scheduled Task/Job: Scheduled Task
                                PID:3104
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                  PID:2320
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /f
                                  1⤵
                                    PID:4836
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3228
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    PID:772
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f
                                    1⤵
                                    • DcRat
                                    PID:2868
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2500
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    PID:2824
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:5040
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    PID:2304
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4300
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f
                                    1⤵
                                      PID:3068
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:528
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      PID:1400
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                      1⤵
                                        PID:3452
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:784
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        PID:1484
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /f
                                        1⤵
                                          PID:2752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4188
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          PID:3944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /f
                                          1⤵
                                          • DcRat
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3520
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2092
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          PID:3964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          PID:1272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /f
                                          1⤵
                                          • DcRat
                                          PID:2272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:868
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          PID:1460

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Recovery\WindowsRE\56085415360792

                                          Filesize

                                          125B

                                          MD5

                                          a725d394e43fa8b9e38a37aa0b81b23e

                                          SHA1

                                          96778bced9ae4b9c1515fe9d55978f6a4db9e719

                                          SHA256

                                          92765430f6f7144ebcf6cb120d3fd1521d523a3caf32f93b3305d488fbddd7f2

                                          SHA512

                                          5150672a35298860d45fdd39de4230ef3434455bf0aa30ae76d0cd04ca1865f455b541093da759e446707a108d90271d7b425092004ed316d1962bd5101ea752

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\surrogateweb.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          7800fca2323a4130444c572374a030f4

                                          SHA1

                                          40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

                                          SHA256

                                          29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

                                          SHA512

                                          c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

                                        • C:\Users\Admin\AppData\Local\Temp\MihSKbgfkU.bat

                                          Filesize

                                          208B

                                          MD5

                                          ab118d33ccf7b9bea3f6bccc2521932a

                                          SHA1

                                          ef279e828625da911fa3ff5b2f973570456e09d3

                                          SHA256

                                          53b1393e159cdacc2e83ccc8b720a34f751147718494ece959d17bd1576559fc

                                          SHA512

                                          3444bb4b5a73981bade42f5a5ab5d58ad80b3cdac3dd5566bae257ad925285c0958d005e9a5a83487ae422296c46e63788446606dfc6064a6a103d9cfb1ee607

                                        • C:\Users\Admin\AppData\Local\Temp\p7fNVDzLAP.bat

                                          Filesize

                                          208B

                                          MD5

                                          a4c1a23f9940b86c649a8f43715b000e

                                          SHA1

                                          59974e8986e8b8d0707e4e518651f457a92894be

                                          SHA256

                                          0c8e2f5c2a05d70440a94900dae9e4b1984c2fed26932bc43d8fce3b60c04809

                                          SHA512

                                          3ee4745b5198f730a22a1b29ab028054c8f16a3a276389b66b855aad0443d3f7e3907f5a83850e58778388e7446e317b810303e42119bec99ec30adcf27d7fa2

                                        • C:\chainproviderBrowsersvc\1L1To0L.bat

                                          Filesize

                                          45B

                                          MD5

                                          3c8ed674ffedfe6b8d0c064cab60006d

                                          SHA1

                                          7080e2cf3d63412726841df13a193e1e56576d7f

                                          SHA256

                                          0a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc

                                          SHA512

                                          26678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da

                                        • C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe

                                          Filesize

                                          207B

                                          MD5

                                          899f8aaacb8d91de21a507edf16520e2

                                          SHA1

                                          2e81832c3da7c117b96e87a3891ca41aba7b819d

                                          SHA256

                                          3a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762

                                          SHA512

                                          7d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e

                                        • C:\chainproviderBrowsersvc\surrogateweb.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          263dca09ac216848fa0ce9aea1f1aa04

                                          SHA1

                                          da162b0daf02ee8cf89a011f4a2876efb4694552

                                          SHA256

                                          2bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8

                                          SHA512

                                          3d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d

                                        • memory/1804-12-0x00007FFCE17A3000-0x00007FFCE17A5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1804-16-0x000000001B2C0000-0x000000001B2D6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/1804-17-0x00000000028B0000-0x00000000028BC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1804-15-0x000000001B310000-0x000000001B360000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1804-14-0x0000000002890000-0x00000000028AC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/1804-13-0x0000000000650000-0x0000000000782000-memory.dmp

                                          Filesize

                                          1.2MB