Overview

overview

10

Static

static

3

07239df254...9N.exe

windows7-x64

10

07239df254...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 07:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe

  • Size

    4.9MB

  • MD5

    ab6d303ac15ff3436948bc28e5b25170

  • SHA1

    91573b8083258e57d17d8e42be88568d3c7b5596

  • SHA256

    07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9

  • SHA512

    bf2bb5d63cee62e6c16812b655030bb5054a87f4496667114d69f0758ced3f992989cf263522e425d210a7f7dfc8052499dda334d7fd70b993739ff0cd17d33a

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
    "C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\tmp787E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp787E.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\tmp787E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp787E.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:1896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:60
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gHK1Vy37nl.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3252
        • C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
          "C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3428
          • C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp.exe"
              5⤵
              • Executes dropped EXE
              PID:4372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1PIx8rYtC.bat"
            4⤵
              PID:4984
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                5⤵
                  PID:3476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\sihost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1616
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3124
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4120
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4720
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:4400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Videos\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OneDrive\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backgroundTaskHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\PackageManifests\backgroundTaskHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1856
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:1048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:2332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:3596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:4996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\fr-FR\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:3172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:4664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:1532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
          1⤵
            PID:3672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
              PID:1604

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Recovery\WindowsRE\lsass.exe
              Filesize

              4.9MB

              MD5

              432e76f1ea1ec8af1d08fea97575a8f2

              SHA1

              3e7070322601f93105198ae1a9e5259c2eda6954

              SHA256

              9434bff27e25a26f0c5637a9193ad2bf39b37309a9207ffe2efc2090cb44cb60

              SHA512

              eee2e70672b3be6add49733b7e6155a794950f3a1c05ccfe3f5270e23d92ca64d8e77ebddec081943defafb6094d524ec92d97edf9c3d01433cbc53825aca5d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe.log
              Filesize

              1KB

              MD5

              bbb951a34b516b66451218a3ec3b0ae1

              SHA1

              7393835a2476ae655916e0a9687eeaba3ee876e9

              SHA256

              eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

              SHA512

              63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              6d3e9c29fe44e90aae6ed30ccf799ca8

              SHA1

              c7974ef72264bbdf13a2793ccf1aed11bc565dce

              SHA256

              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

              SHA512

              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              a8e8360d573a4ff072dcc6f09d992c88

              SHA1

              3446774433ceaf0b400073914facab11b98b6807

              SHA256

              bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

              SHA512

              4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              3a6bad9528f8e23fb5c77fbd81fa28e8

              SHA1

              f127317c3bc6407f536c0f0600dcbcf1aabfba36

              SHA256

              986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

              SHA512

              846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              e243a38635ff9a06c87c2a61a2200656

              SHA1

              ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

              SHA256

              af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

              SHA512

              4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              cadef9abd087803c630df65264a6c81c

              SHA1

              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

              SHA256

              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

              SHA512

              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              aaaac7c68d2b7997ed502c26fd9f65c2

              SHA1

              7c5a3731300d672bf53c43e2f9e951c745f7fbdf

              SHA256

              8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

              SHA512

              c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5b210bb5af7ad5735e5adc3261a05a5d

              SHA1

              c70bf5f62575bdaf30a1e9ae0c19660afa8a6798

              SHA256

              be4d62011180fb0a51d2ef5dcbc2962d4c0513d25ee43ce3ca2dd7aef9920c86

              SHA512

              0a5e45fe8f755b1df400513f14bf92f9362d096b6ea29be5975780fa2a55fcba39aa92fd09ee26a8d7ef032bcdc34c8695eca90db4300b6e922be6df637f827a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              be9c6a21d90825886142766cd312e54b

              SHA1

              e7e246b00840168afd9258647a9ce03ccd9fb180

              SHA256

              cac8fe806966ec5f049e11731d0576dca138e3b7b735c8ee84052ef7d918485f

              SHA512

              70f567a4ac7847adf5196d68f6a7e370cc6d3aa40c0edd4f1190a638adfd109c94ad4c0b9d832b2c4b1cae0105bd0983936944ee824a4b7feed7d1170cfdd464

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              1f545274ba19d9199a78f74cd05e8187

              SHA1

              4036cf78d3f310af42963c8f16ae27c5922b5dff

              SHA256

              3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

              SHA512

              b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              4f473e15a0686d0c819ad40b5f232368

              SHA1

              a769892ae2e8203e7d4a992a317189b56723da33

              SHA256

              53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237

              SHA512

              d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              0517d7daa86e87ab93c37adcb931f498

              SHA1

              6b243308a84f033c4943c7f63c0f824d8db31a13

              SHA256

              3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

              SHA512

              a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              66c1af19164d3b08179f388a26c2bde9

              SHA1

              599bb2101a033126bc82001419b94a3467fe86f2

              SHA256

              48950437c36bb693eae5049f0eef84824d76169e0cd736590b401b0713be3b30

              SHA512

              5b575918813e354824c07ac91ea7c1fb121d903065d1f2cab92393ae215825b1392c50f8658a5c482c6a1fdd9922b1f29f9f34fe53a584169285cbe0ea10a17b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              57bf332304655b59dc4b9099eb5b50f3

              SHA1

              b0c645742c9bbc43148f2dedbeb6b70ebc7e42b6

              SHA256

              3a566412269e1c0b49768423c6632f7af3923fbe02f56727626f1f7f67ccc310

              SHA512

              43196920c2e6ccf884e4899be2d9c690739b4aa62d1a3f2f76d353ef2b825a8fd4090562a12c22fa97797304804132124b6480c3000b0387050cf334b0be6385

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rouexqzb.bep.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a1PIx8rYtC.bat
              Filesize

              204B

              MD5

              527b3d5855625e99fde61bc8a4ddb9b4

              SHA1

              1532a29edbd364849ddd4f7dec65cf08a7feed6a

              SHA256

              6f02a2dac0720c8dada09221571b43482071dbf417fc5396c584823ab5314f89

              SHA512

              0aecde7de2a337855256cdf209cb31aeefa7d7a81cc514d2557cbc3b905eb8fbb167415dfe8346165788420961dc848eaab536b588783ccb839bbca531d41667

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\gHK1Vy37nl.bat
              Filesize

              268B

              MD5

              32dbaaa4fcd45d073026deb83b77cd47

              SHA1

              0782147db3b8d29dd4af5b82012906ebfded8c9a

              SHA256

              d12a8a20475d500c3f47561e7519a7b643be4c5afdfaf169b9315ea6d46a3cf6

              SHA512

              0ba7cbcc08a17ea6305d645dafc584b49064e0153a61dad435055303b6a2add25867435a56262b990d422528a3bddbe83741e4e950e46079d67fd58f2dc27030

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp787E.tmp.exe
              Filesize

              75KB

              MD5

              e0a68b98992c1699876f818a22b5b907

              SHA1

              d41e8ad8ba51217eb0340f8f69629ccb474484d0

              SHA256

              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

              SHA512

              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

              Download Submit

            • C:\Users\Default\dllhost.exe
              Filesize

              4.9MB

              MD5

              ab6d303ac15ff3436948bc28e5b25170

              SHA1

              91573b8083258e57d17d8e42be88568d3c7b5596

              SHA256

              07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9

              SHA512

              bf2bb5d63cee62e6c16812b655030bb5054a87f4496667114d69f0758ced3f992989cf263522e425d210a7f7dfc8052499dda334d7fd70b993739ff0cd17d33a

              Download Submit

            • C:\Users\Public\Pictures\RCX8B92.tmp
              Filesize

              4.9MB

              MD5

              6f8a1b7b9fb33733dd667c7491fdc599

              SHA1

              bf4490e8e21ba8251a8d133ad3859976854e9959

              SHA256

              16b960b1d5701566aee9ea4a39179bfa9373b17d39e9328c6c846b4f4dbdb984

              SHA512

              3162dfc58d5527a540580f5906dd2657f469da6882eae1ec16df1472c8e7b18f704b2638656fc76f5ed698cf75c34551dfe9c41883a5f58b6c1a65332555df78

              Download Submit

            • memory/396-12-0x000000001CA20000-0x000000001CF48000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/396-3-0x000000001BD20000-0x000000001BE4E000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/396-1-0x0000000000A70000-0x0000000000F64000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/396-189-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/396-14-0x000000001C480000-0x000000001C48E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/396-2-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/396-16-0x000000001C4F0000-0x000000001C4F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/396-17-0x000000001C500000-0x000000001C508000-memory.dmp

              Filesize

              32KB

              Download

            • memory/396-18-0x000000001C610000-0x000000001C61C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/396-13-0x000000001C470000-0x000000001C47A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/396-0-0x00007FFC27F23000-0x00007FFC27F25000-memory.dmp

              Filesize

              8KB

              Download

            • memory/396-156-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/396-10-0x000000001C450000-0x000000001C45A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/396-11-0x000000001C460000-0x000000001C472000-memory.dmp

              Filesize

              72KB

              Download

            • memory/396-148-0x00007FFC27F23000-0x00007FFC27F25000-memory.dmp

              Filesize

              8KB

              Download

            • memory/396-9-0x000000001BD00000-0x000000001BD10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/396-8-0x000000001BCE0000-0x000000001BCF6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/396-7-0x0000000003160000-0x0000000003170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/396-5-0x000000001C4A0000-0x000000001C4F0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/396-6-0x0000000003120000-0x0000000003128000-memory.dmp

              Filesize

              32KB

              Download

            • memory/396-4-0x0000000003140000-0x000000000315C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/396-15-0x000000001C490000-0x000000001C49E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1896-72-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/4244-201-0x000001DAF81A0000-0x000001DAF81C2000-memory.dmp

              Filesize

              136KB

              Download