Overview

overview

10

Static

static

10

6aaabd8de9...4N.exe

windows7-x64

10

6aaabd8de9...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe

  • Size

    1.8MB

  • MD5

    e161f5c294ac3464de6f84a53a506700

  • SHA1

    9c9b1f8f6c060e7e0ce67292e9ec249ec265aea7

  • SHA256

    6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34

  • SHA512

    e5ec70fea9bf4bc5e0e858eaea1f31259300193edfe48b963e2179d01bcbc1e50d6bccf25a35acd4b0fefaea1ba4ee6c429fa76ae02426c73d4fd69f0585268e

  • SSDEEP

    49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score
10/10
dcratdiscoveryevasionexecutioninfostealerratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
    "C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\445e1976593e6b3b2072e606af9be0ae\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Recovery\WindowsRE\lsass.exe
      "C:\Recovery\WindowsRE\lsass.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5108
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dff26c7-bcca-4ad3-8b73-27df4edb514e.vbs"
        3⤵
          PID:2204
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\767b926d-88b5-4ffe-a7fe-7e37d6f4b02a.vbs"
          3⤵
            PID:224
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13777/
            3⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbbd446f8,0x7ffbbbd44708,0x7ffbbbd44718
              4⤵
                PID:1436
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
                4⤵
                  PID:1592
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
                  4⤵
                    PID:3680
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
                    4⤵
                      PID:552
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                      4⤵
                        PID:2656
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                        4⤵
                          PID:4860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
                          4⤵
                            PID:540
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                            4⤵
                              PID:2132
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                              4⤵
                                PID:2704
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                4⤵
                                  PID:1736
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                                  4⤵
                                    PID:848
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                                    4⤵
                                      PID:5180
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
                                      4⤵
                                        PID:5408
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
                                        4⤵
                                          PID:5524
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7624090176405603834,11832944299088891636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
                                          4⤵
                                            PID:5972
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3104
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3340
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3136
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2676
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4736
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2856
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\445e1976593e6b3b2072e606af9be0ae\upfc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:5012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\445e1976593e6b3b2072e606af9be0ae\upfc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3224
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\445e1976593e6b3b2072e606af9be0ae\upfc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3516
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\fontdrvhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:5072
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4480
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4476
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2904
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3420
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4892
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3140
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4936
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3968
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4092
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2332
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1760
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4816
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2004
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2128
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3908
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2252
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4720
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:392
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\sppsvc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4240
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2124
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3424
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N6" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2896
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2412
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N6" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1716
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4308
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1372
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4728
                                        • C:\Windows\system32\wbem\WmiApSrv.exe
                                          C:\Windows\system32\wbem\WmiApSrv.exe
                                          1⤵
                                            PID:4152

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Reconnaissance

                                          Resource Development

                                          Initial Access

                                          Execution

                                          Command and Scripting Interpreter

                                          1
                                          T1059

                                          PowerShell

                                          1
                                          T1059.001

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Persistence

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Privilege Escalation

                                          Abuse Elevation Control Mechanism

                                          1
                                          T1548

                                          Bypass User Account Control

                                          1
                                          T1548.002

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Defense Evasion

                                          Abuse Elevation Control Mechanism

                                          1
                                          T1548

                                          Bypass User Account Control

                                          1
                                          T1548.002

                                          Impair Defenses

                                          1
                                          T1562

                                          Disable or Modify Tools

                                          1
                                          T1562.001

                                          Modify Registry

                                          2
                                          T1112

                                          Credential Access

                                          Credentials from Password Stores

                                          1
                                          T1555

                                          Credentials from Web Browsers

                                          1
                                          T1555.003

                                          Unsecured Credentials

                                          1
                                          T1552

                                          Credentials In Files

                                          1
                                          T1552.001

                                          Discovery

                                          Browser Information Discovery

                                          1
                                          T1217

                                          Query Registry

                                          4
                                          T1012

                                          System Information Discovery

                                          4
                                          T1082

                                          Lateral Movement

                                          Collection

                                          Data from Local System

                                          1
                                          T1005

                                          Command and Control

                                          Exfiltration

                                          Impact

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files (x86)\Windows Portable Devices\explorer.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            87fa0ef1777f86770bed894624fae8de

                                            SHA1

                                            a1110744ca8ff94056aac15f97da59c9a3b73ef1

                                            SHA256

                                            05f3a2eecf1d3b31a38a941bb8b4d24a789bf2dc2bb18297d090a0addda70250

                                            SHA512

                                            a7d174678adfa1a5e5c2606b892ec9ab11eb701f9505f34de0f0a89cddc69272969a53ec1d71ceb3f075ff47aabfa3ace123d74f1f9ae4c0dc519cae6082f30b

                                            Download Submit

                                          • C:\Program Files\Microsoft Office 15\ClientX64\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            3840dcb164043ca5ce02a59e6e590b79

                                            SHA1

                                            b721539b45f0a759197699aa245fd25f95a87c73

                                            SHA256

                                            9607f224457231cf9d2261837172a87e368c97e4db72cff3533e7e09dc1e4f49

                                            SHA512

                                            5a55c26bea9206c1275f238e7a3958f22c4275b4e9e972f0713aef8500ef8cc25ca08d43a8d94eecc9e707a13fbc1f83e958593d1b0e0dfe314221bfdc56a1f4

                                            Download Submit

                                          • C:\Program Files\VideoLAN\VLC\fontdrvhost.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            1b9f5a54c070dff14d87a8c5b49e0c21

                                            SHA1

                                            e533ca5b63e6144a4a163e3c477dc1ea896f02f0

                                            SHA256

                                            39c3bf191405538ae6106894e519ceafcd6b773edf23fb2da275c95c94a661be

                                            SHA512

                                            4c894e549a27d85aef5549a81a9041e36315fb9ab299ab87c9170f35015ef5b08427e1531285f8c5e4efbe35b6e9ce678461f3d34c0966de9c49fd847a61a012

                                            Download Submit

                                          • C:\Recovery\WindowsRE\upfc.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            2597623e5d582fdd8254150c262e96f8

                                            SHA1

                                            dc1cd6728f20380cf65efbc889c3f47c0e3249c5

                                            SHA256

                                            a96428500f48e085a30134e2009e5d0da54e7ed3ac38693a5b453cb0c4b383e9

                                            SHA512

                                            9e6da72eeda6cc4ea1069d808505dd93f06c1d4ef836a79e1d72faf5cd1964698bd3f6dbdf552c8db7ae888edffccf0e5b3d1a24d3dcd3515774ba8f46e61482

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            2KB

                                            MD5

                                            45c6b2621d499adcfc12b5c20a694ede

                                            SHA1

                                            393ef86a5d89b034882a36bdc621cf2943a40a3c

                                            SHA256

                                            41a0a314e19bd8f9885e052aef07a6158558a879568d8c247fbd25f4ae3d4c16

                                            SHA512

                                            2e8d381e827a9e119c68ea944584b79e3279874fcc427729f6bcf42315545b591045c395bd82ac7cb8eb791e5c6787ef0c29c12730913edc5a5b9f4fdab1378c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            61cef8e38cd95bf003f5fdd1dc37dae1

                                            SHA1

                                            11f2f79ecb349344c143eea9a0fed41891a3467f

                                            SHA256

                                            ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                            SHA512

                                            6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            0a9dc42e4013fc47438e96d24beb8eff

                                            SHA1

                                            806ab26d7eae031a58484188a7eb1adab06457fc

                                            SHA256

                                            58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                            SHA512

                                            868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            72d8a0f08f55656db8cb50a097c3d7fd

                                            SHA1

                                            4c6b8830a1c798d08e7fc85fb8249819660140af

                                            SHA256

                                            49862023f40a0f4747e558832ac3267f2d638ee177d4b54c5357d78f31e6547c

                                            SHA512

                                            ae408959aa367548c94c653fb27399f6232c75201848879fb976040a84142f5e0f7e12b1920f6100271e1d8c3bd9657a54037f54ed6dbf3dcd96001923ce8157

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            f2eb6f2e222ca7e4cdc534d68d0ab976

                                            SHA1

                                            ea35269b376f886641b79bee81a3dbc4ea7dd213

                                            SHA256

                                            55d55ad10c5f87df3f99a7e1240844e6f9645bcec0da655e8a9d34b1b1d7a90e

                                            SHA512

                                            599756a1fc5f79528f1ecbfe6b54bff1af5af94d25e0a20e1942e51d42824ad0344a01f67ed26d05347b453ac2ba40a52be512a40a5ed75941255a2d0303b73b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            6c23d0b6d6ed8a4ca785910e7fdb7ae1

                                            SHA1

                                            2edf33f8954a2bbbe84aaf97bb9d6533905c0631

                                            SHA256

                                            cc696ce243d19d049cc86e4f5f14856e3e5bcefb4d9bd478e3087b4c486c2955

                                            SHA512

                                            8d344652ed1da909ca57e15b1e0be23d3e1c6dd21494864016b56cb491633ad92f93e10729deb24a6b9480019d6c924f6ddc65e339ce998aa8bd2ca1d21b44d6

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            206702161f94c5cd39fadd03f4014d98

                                            SHA1

                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                            SHA256

                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                            SHA512

                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            10KB

                                            MD5

                                            214e8a765ad857631c23ab61187aaab7

                                            SHA1

                                            25e8c3e8d3b57a44c437eaef50e945cd560535bf

                                            SHA256

                                            7fc20c08c0df61f54f2ea50654cc7b6402361da5bdedf32b8587cc532ea33675

                                            SHA512

                                            d844468c76cd33b49dac11880ed1fd9a0a4ea04a931edc0f67401c4e61b2f8b5de369c3e4c00ec01f89cc78df70e5aa0e407228aebefedd42b8e45864f8ada46

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            77d622bb1a5b250869a3238b9bc1402b

                                            SHA1

                                            d47f4003c2554b9dfc4c16f22460b331886b191b

                                            SHA256

                                            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                            SHA512

                                            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            d28a889fd956d5cb3accfbaf1143eb6f

                                            SHA1

                                            157ba54b365341f8ff06707d996b3635da8446f7

                                            SHA256

                                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                            SHA512

                                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            bd5940f08d0be56e65e5f2aaf47c538e

                                            SHA1

                                            d7e31b87866e5e383ab5499da64aba50f03e8443

                                            SHA256

                                            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                            SHA512

                                            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            a8e8360d573a4ff072dcc6f09d992c88

                                            SHA1

                                            3446774433ceaf0b400073914facab11b98b6807

                                            SHA256

                                            bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                            SHA512

                                            4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\767b926d-88b5-4ffe-a7fe-7e37d6f4b02a.vbs
                                            Filesize

                                            483B

                                            MD5

                                            5d4ddf7caa9b8c309dc18bcbb12e9544

                                            SHA1

                                            076af5d708268a5f07ce11bf81bba0dfeacdaf62

                                            SHA256

                                            68737f11606ea97569bf362a119f8d3418b8598cc6450b2ef3ffb1b5c6a16880

                                            SHA512

                                            ef3ef7abe6931c7ed28e283ccc398376776f300bb4c8e16f53c3f905c739805803988a2a1736c9455c125af93328b6bbcfe7d7c5cf54e0b2920912ab34ffac89

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\9dff26c7-bcca-4ad3-8b73-27df4edb514e.vbs
                                            Filesize

                                            707B

                                            MD5

                                            e01b5677281b3052f54b8a044b0640a9

                                            SHA1

                                            a85510a8c8297fbb53ffb7e0a227eea75a8dfe31

                                            SHA256

                                            ae1ab2c37155897d327e1acd7f9af43a63dd930630b18ce1bd8ee36b11c16031

                                            SHA512

                                            d1408de6e0ca9a253b5647ba0d6ef238ec87e19051678eb1769a44a50f12db2f4f807caaa3a2d52240ef0046906c530d96fa3cce00d37183f3dc3156abba4f16

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cowe5x5c.oey.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit

                                          • C:\Windows\Sun\Java\Deployment\sppsvc.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            d6aba4f89ab3a8aa66d10d18fd3df97e

                                            SHA1

                                            e20810d8245f0662057418a5964ec2dd32c1f9a6

                                            SHA256

                                            a3bf738a866052620962f3af3d078545d2efebef8c139e653c6f4661088dd643

                                            SHA512

                                            d03526d516be6db67c492ece21311472770bcfd8bc4025ba0db7041ef70217438ea223cf9cc0ffda848df53a8538b0a04bcc0a9aa8d0a728e58589e69f9a4d20

                                            Download Submit

                                          • C:\Windows\de-DE\explorer.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            e161f5c294ac3464de6f84a53a506700

                                            SHA1

                                            9c9b1f8f6c060e7e0ce67292e9ec249ec265aea7

                                            SHA256

                                            6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34

                                            SHA512

                                            e5ec70fea9bf4bc5e0e858eaea1f31259300193edfe48b963e2179d01bcbc1e50d6bccf25a35acd4b0fefaea1ba4ee6c429fa76ae02426c73d4fd69f0585268e

                                            Download Submit

                                          • memory/1620-245-0x000001B7E9060000-0x000001B7E9082000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/3336-11-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-16-0x000000001B320000-0x000000001B32A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/3336-12-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-14-0x000000001BB90000-0x000000001BB98000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/3336-15-0x000000001B310000-0x000000001B31C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-365-0x00007FFBDFA10000-0x00007FFBDFB1B000-memory.dmp

                                            Filesize

                                            1.0MB

                                            Download

                                          • memory/3336-19-0x000000001B350000-0x000000001B35C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-10-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-9-0x000000001B2C0000-0x000000001B2CC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-0-0x00007FFBDFA10000-0x00007FFBDFB1B000-memory.dmp

                                            Filesize

                                            1.0MB

                                            Download

                                          • memory/3336-20-0x000000001BB70000-0x000000001BB7C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-13-0x000000001B300000-0x000000001B30C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/3336-17-0x000000001B330000-0x000000001B33E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/3336-8-0x0000000002780000-0x000000000278A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/3336-7-0x0000000002770000-0x0000000002778000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/3336-18-0x000000001B340000-0x000000001B348000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/3336-6-0x0000000002750000-0x0000000002766000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/3336-5-0x0000000002740000-0x0000000002750000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/3336-4-0x0000000002660000-0x0000000002668000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/3336-3-0x0000000002790000-0x00000000027E0000-memory.dmp

                                            Filesize

                                            320KB

                                            Download

                                          • memory/3336-2-0x00000000026D0000-0x00000000026EC000-memory.dmp

                                            Filesize

                                            112KB

                                            Download

                                          • memory/3336-1-0x0000000000420000-0x00000000005EC000-memory.dmp

                                            Filesize

                                            1.8MB

                                            Download