Overview

overview

10

Static

static

3

5f5b230460...1N.exe

windows7-x64

10

5f5b230460...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

  • Size

    1.5MB

  • MD5

    8a3610882dcd50607fd3fa01d7a27b70

  • SHA1

    3f3823159964a51f3e55decdbe83abaf79ba9d8a

  • SHA256

    5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

  • SHA512

    faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444

  • SSDEEP

    24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81

Score
10/10
dcratexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 20 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
    "C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sysmon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\backgroundTaskHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\regid.1991-06.com.microsoft\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\USOShared\Logs\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Adobe\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.Search\pris\StartMenuExperienceHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\uk-UA\unsecapp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJAVlmCtXs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:6024
        • C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
          "C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:6008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\System.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\RuntimeBroker.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5424
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qnTAHDxf9x.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3772
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:4156
              • C:\Recovery\WindowsRE\fontdrvhost.exe
                "C:\Recovery\WindowsRE\fontdrvhost.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5428
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7365bbf2-084e-43cf-b129-c9a65169ca05.vbs"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2792
                  • C:\Recovery\WindowsRE\fontdrvhost.exe
                    C:\Recovery\WindowsRE\fontdrvhost.exe
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:220
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c13ed6fa-4e8e-4f05-9e15-8842084df484.vbs"
                  6⤵
                    PID:3232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "58VOwininit" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "vZSCwininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "LjDowininit" /sc ONSTART /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4152
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "qAqHIdle" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Ac39Idle" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "L1QcIdle" /sc ONSTART /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MfU5sysmon" /sc MINUTE /mo 5 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "GqSLsysmon" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "vcsgsysmon" /sc ONSTART /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc MINUTE /mo 10 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sysmon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1UZKbackgroundTaskHost" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SZEtbackgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3344
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "6JunbackgroundTaskHost" /sc ONSTART /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3868
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "W4OLIdle" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hp5HIdle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "bP2EIdle" /sc ONSTART /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Ixm7smss" /sc MINUTE /mo 9 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "vsdRsmss" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "823Ismss" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:1372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "aGxwIdle" /sc MINUTE /mo 8 /tr "'C:\ProgramData\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "pvFaIdle" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "P7cIIdle" /sc ONSTART /tr "'C:\ProgramData\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\ProgramData\SoftwareDistribution\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "iKt3sihost" /sc MINUTE /mo 10 /tr "'C:\ProgramData\USOShared\Logs\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "XQIisihost" /sc ONLOGON /tr "'C:\ProgramData\USOShared\Logs\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:804
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Z9fLsihost" /sc ONSTART /tr "'C:\ProgramData\USOShared\Logs\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc MINUTE /mo 12 /tr "'C:\ProgramData\USOShared\Logs\sihost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Bi3Wupfc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:4832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Q3wBupfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "o7gMupfc" /sc ONSTART /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "eTKidllhost" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "yOUldllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wF78dllhost" /sc ONSTART /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "pnw6upfc" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Adobe\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wnJVupfc" /sc ONLOGON /tr "'C:\ProgramData\Adobe\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Np6uupfc" /sc ONSTART /tr "'C:\ProgramData\Adobe\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4804
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Adobe\upfc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lqt4wininit" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "xeGpwininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Yg1swininit" /sc ONSTART /tr "'C:\Program Files (x86)\Common Files\Services\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ppEgcsrss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "u8xdcsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "XuT2csrss" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:4200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sOkUStartMenuExperienceHost" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.Search\pris\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lGJAStartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Search\pris\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MzNtStartMenuExperienceHost" /sc ONSTART /tr "'C:\Windows\SystemResources\Windows.UI.Search\pris\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Windows.UI.Search\pris\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lR1Vunsecapp" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\uk-UA\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "mYWOunsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:4884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "8ZJCunsecapp" /sc ONSTART /tr "'C:\Windows\PolicyDefinitions\uk-UA\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\uk-UA\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:4256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "yp4nRegistry" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "2QfvRegistry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "jz2nRegistry" /sc ONSTART /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fxmxfontdrvhost" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:1008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TfBffontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:5560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "M2k3fontdrvhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:1568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "xvmFSystem" /sc MINUTE /mo 5 /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:5780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CGaMSystem" /sc ONLOGON /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ydiqSystem" /sc ONSTART /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:5240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\System.exe'" /f
          1⤵
          • DcRat
          PID:6108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "FpR4fontdrvhost" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          PID:1588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "iDU5fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "b6sUfontdrvhost" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
            PID:5932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2820
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "04UbRuntimeBroker" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\Deployment\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "niNCRuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:4212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "xVTORuntimeBroker" /sc ONSTART /tr "'C:\Windows\Sun\Java\Deployment\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            PID:3228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\Deployment\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:5484

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Internet Explorer\es-ES\Idle.exe
            Filesize

            1.5MB

            MD5

            8a3610882dcd50607fd3fa01d7a27b70

            SHA1

            3f3823159964a51f3e55decdbe83abaf79ba9d8a

            SHA256

            5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

            SHA512

            faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444

            Download Submit

          • C:\Recovery\WindowsRE\Registry.exe
            Filesize

            1.5MB

            MD5

            ffaa793566285aa9bc7a3c1a4469f120

            SHA1

            fc338e7d99074702dfda6b68aefa6b72f62af5ab

            SHA256

            0a427324169d35f6bc8b9b229b10692c4618ecc4197553c297597630bf5a3bba

            SHA512

            1641cde0059aa572f63fd3c192ef0e0e99cf7d23010ca98c42de3687c871dcde01dfde7f87ec0e609664abbc4957e6a6cb1340d9a6e46a35af21346bbc2b2196

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe.log
            Filesize

            1KB

            MD5

            7800fca2323a4130444c572374a030f4

            SHA1

            40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

            SHA256

            29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

            SHA512

            c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
            Filesize

            1KB

            MD5

            3ad9a5252966a3ab5b1b3222424717be

            SHA1

            5397522c86c74ddbfb2585b9613c794f4b4c3410

            SHA256

            27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

            SHA512

            b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            5f0ddc7f3691c81ee14d17b419ba220d

            SHA1

            f0ef5fde8bab9d17c0b47137e014c91be888ee53

            SHA256

            a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

            SHA512

            2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e448fe0d240184c6597a31d3be2ced58

            SHA1

            372b8d8c19246d3e38cd3ba123cc0f56070f03cd

            SHA256

            c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

            SHA512

            0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3a6bad9528f8e23fb5c77fbd81fa28e8

            SHA1

            f127317c3bc6407f536c0f0600dcbcf1aabfba36

            SHA256

            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

            SHA512

            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            aaaac7c68d2b7997ed502c26fd9f65c2

            SHA1

            7c5a3731300d672bf53c43e2f9e951c745f7fbdf

            SHA256

            8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

            SHA512

            c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            0aa63dbb46d451e47a7a682c64af776d

            SHA1

            3b0026f2dae8e9c491ccaa40133755779de35aaa

            SHA256

            9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

            SHA512

            4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            a83ce2908066654f712d1858746bc3c4

            SHA1

            14887f0537ce076cdc91801fb5fa584b25f1089f

            SHA256

            7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f

            SHA512

            991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7365bbf2-084e-43cf-b129-c9a65169ca05.vbs
            Filesize

            713B

            MD5

            a0d8dc49756cda0de4b7338d9d463263

            SHA1

            29322391584791ed6f8bbeb39dd111b8d2a60520

            SHA256

            d45ee2329aa398536521d0a06e357d74f84b61ff6a30819b8b1d1bdfb5617e25

            SHA512

            1f737c3a3cd7c320ec488bc5ae15308e244af15f9a9f495f6b15f393b014f467d8a21dfda09594d212b6552e86b0c6980b4e834da63dff5226824c081fe4da95

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\PJAVlmCtXs.bat
            Filesize

            267B

            MD5

            84739475e093360694adfb0b33fd3552

            SHA1

            e561af56ca53a7ea42fc19872cca853768cb8ed6

            SHA256

            1e103908ee33b17d349f55c5d3574ad858bb019eeffdaa97a48212c6788b8d2e

            SHA512

            dedd7d4111a8b360c0130d85348b33c2304aa909dfb4b359267d285883ab17ff55e14f01369d4c0951ffc07c7d0856c4fd31f8a0784fd7bc0c13edfea354ed2f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhylcsod.52t.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c13ed6fa-4e8e-4f05-9e15-8842084df484.vbs
            Filesize

            489B

            MD5

            a96552175629ebb11236bde9255015d1

            SHA1

            6de966d82439c32f1c9810a5b4a6ea9fbcae3058

            SHA256

            a9d9e674177c6cf1286b0e222ac9d94530fcac9b36b6fedc6c2dba3f10f3a94d

            SHA512

            c456f2be83ffccabc8e621f0f394132fa353cce35f729447c90c4f3ddb4fc19bc254f1b950db738543771c9e94c8bbffb1a1bc281b53b8feb59c917adf062792

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\qnTAHDxf9x.bat
            Filesize

            201B

            MD5

            4bfb224e7f10fd056466486f35fc8b05

            SHA1

            7428ca1825b3a96f5bf6470dded202d24646cf5f

            SHA256

            00f5b1f16b137dba2fabf86e1e9acf5f9eddd34c5f8bb4de511c16effd86c6fb

            SHA512

            a1cafb062139becdfbb848a1b7421569c63cce3d8a44ccecfbee61a3d7d2fbfc22d1ba43760265aac2b71949d17a86b32f469b198457c23b9adc07464e78ad41

            Download Submit

          • memory/392-372-0x000001954BC20000-0x000001954BD6E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/436-368-0x000002AFEC5B0000-0x000002AFEC6FE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/752-336-0x00000235ED8C0000-0x00000235EDA0E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1052-367-0x000001F6E83D0000-0x000001F6E851E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1180-326-0x0000017262040000-0x000001726218E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1584-357-0x0000028263460000-0x00000282635AE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1828-343-0x0000017D52DB0000-0x0000017D52EFE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1912-349-0x00000152F9220000-0x00000152F936E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2712-13-0x000000001C110000-0x000000001C11A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2712-11-0x000000001B990000-0x000000001B99A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2712-6-0x0000000001600000-0x0000000001610000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2712-1-0x0000000000B80000-0x0000000000D0C000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2712-165-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2712-8-0x000000001B970000-0x000000001B980000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2712-145-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2712-130-0x00007FFEC7053000-0x00007FFEC7055000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2712-14-0x000000001C120000-0x000000001C12C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2712-9-0x000000001B960000-0x000000001B96C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2712-0-0x00007FFEC7053000-0x00007FFEC7055000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2712-7-0x000000001B950000-0x000000001B962000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2712-2-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2712-3-0x000000001B930000-0x000000001B94C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2712-12-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2712-10-0x000000001B980000-0x000000001B98C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2712-5-0x00000000015E0000-0x00000000015F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2712-4-0x000000001BFC0000-0x000000001C010000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2904-342-0x00000200F8C70000-0x00000200F8DBE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3248-360-0x000001F7E92F0000-0x000001F7E943E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3432-352-0x0000024D46F40000-0x0000024D4708E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3440-371-0x0000020570660000-0x00000205707AE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3700-333-0x000001CB1B660000-0x000001CB1B7AE000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3700-177-0x000001CB1B630000-0x000001CB1B652000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4068-341-0x000002B2FF8D0000-0x000002B2FFA1E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4200-353-0x0000023A9BEC0000-0x0000023A9C00E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4652-356-0x000001B666730000-0x000001B66687E000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4884-344-0x0000020641B60000-0x0000020641CAE000-memory.dmp

            Filesize

            1.3MB

            Download