Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 20:36

General

  • Target

    33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe

  • Size

    1.7MB

  • MD5

    9bc6e385c3ed07d8041688367cd4c950

  • SHA1

    f33c82f203ce08807d5f4429e6f4c858ec8b8dc6

  • SHA256

    33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bc

  • SHA512

    57d183506d509d587a998e9a2069f3c0c8ef5cdeb31f8a8fbbfa280c120f5e373f9ff213081fea07f8fa1c55d2d95353cf7a78979703df5eb3a5602126b4e2ad

  • SSDEEP

    49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
    "C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1356
        • C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
          "C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEOgu8eF3a.bat"
            4⤵
              PID:2956
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                5⤵
                  PID:2744
                • C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
                  "C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"
                  5⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1796
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1240
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2936
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2308
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2288
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1584
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3024
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2564
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1664
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2764
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2376
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1092
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0hEHdXHWCj.bat"
                    6⤵
                      PID:2736
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        7⤵
                          PID:1300
                        • C:\Program Files\Uninstall Information\explorer.exe
                          "C:\Program Files\Uninstall Information\explorer.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2360
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ac2e50-90a3-4706-ab04-e8f19e109c41.vbs"
                            8⤵
                              PID:2396
                              • C:\Program Files\Uninstall Information\explorer.exe
                                "C:\Program Files\Uninstall Information\explorer.exe"
                                9⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2440
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc323218-54a1-417d-b530-4fc56d9fe75d.vbs"
                                  10⤵
                                    PID:864
                                    • C:\Program Files\Uninstall Information\explorer.exe
                                      "C:\Program Files\Uninstall Information\explorer.exe"
                                      11⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1852
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb31b9d1-c4bc-4797-8e43-58aa00845752.vbs"
                                        12⤵
                                          PID:1844
                                          • C:\Program Files\Uninstall Information\explorer.exe
                                            "C:\Program Files\Uninstall Information\explorer.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2392
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8754e934-ef94-4704-9e44-a039a878f03a.vbs"
                                              14⤵
                                                PID:748
                                                • C:\Program Files\Uninstall Information\explorer.exe
                                                  "C:\Program Files\Uninstall Information\explorer.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1300
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856c19fe-0107-47eb-b61a-938733aaa35e.vbs"
                                                    16⤵
                                                      PID:2964
                                                      • C:\Program Files\Uninstall Information\explorer.exe
                                                        "C:\Program Files\Uninstall Information\explorer.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1840
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58ea90ce-a0a7-4118-b853-d2d8432dfb6d.vbs"
                                                          18⤵
                                                            PID:1340
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\176436f0-8160-4ecf-8775-efc2209a6e32.vbs"
                                                            18⤵
                                                              PID:1528
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\898cc9f0-5218-496b-a7d5-7da2b1087ed2.vbs"
                                                          16⤵
                                                            PID:2692
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfe75889-fd18-442c-b3b4-ca7bec20566b.vbs"
                                                        14⤵
                                                          PID:1792
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cf0fae-2d71-48d8-93a1-cd12eae58388.vbs"
                                                      12⤵
                                                        PID:760
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01232c8-22b5-461f-8a25-dab7cde0ff17.vbs"
                                                    10⤵
                                                      PID:2744
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01f97401-0244-4edc-9775-205dde8f8602.vbs"
                                                  8⤵
                                                    PID:352
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2692
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2732
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2796
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2676
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2560
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2824
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2768
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2896
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2732
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2808
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2868
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2668
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:612
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2716
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2548
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2584
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2840
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2836
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1216
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1260
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2212
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2392
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1488
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1788
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:892
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1248
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:608
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1704
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2332
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2952
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3028
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2284
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2520
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2256
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3068
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2884
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2068
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:744
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1948
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2404
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2096
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1496
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2856
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2408
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1076
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2156
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2268
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2480
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2828
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2748
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2684
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1952
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2528
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2572
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2760
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2824

                                    Network

                                      No results found
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    • 195.3.223.79:80
                                      explorer.exe
                                      152 B
                                      120 B
                                      3
                                      3
                                    No results found

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      920a04e16bc43b2ce8de7c3c8b87ab19

                                      SHA1

                                      352fed4a83e9fa9eac7a9dab71341ba4af87ca2c

                                      SHA256

                                      1094dd9e2d0c2429d40edbba6d476433d622215c44afde83224b9ba5542e06c6

                                      SHA512

                                      3d94a1d90ff547e8ae7bec8313d1c041752acc83ca73726858474aabc8b93005339634f155e7d0583de6921cce41ca55f793d08f3386be8365ed7821ea531bca

                                    • C:\Users\Admin\AppData\Local\Temp\01f97401-0244-4edc-9775-205dde8f8602.vbs

                                      Filesize

                                      503B

                                      MD5

                                      fdb20532ef16e8035c3f3edab1310f1a

                                      SHA1

                                      1544242bd20dda96530c34d586289609e052011e

                                      SHA256

                                      fc07d6f547a4ffce00bba381ec703aea9383e2be6f14326dc1b002bb995e6954

                                      SHA512

                                      7cb9dd4abe3ac81a2cf8f6fe0cea8a1811addc902d7bcfd506d1643e7ed625f665f7ac7c3bd1e40b22ba01beddd7d238b67084b92e98e6b01ef03dae556f2622

                                    • C:\Users\Admin\AppData\Local\Temp\0hEHdXHWCj.bat

                                      Filesize

                                      216B

                                      MD5

                                      baf0a1963f4bb6afd3ff151bbd2f49ad

                                      SHA1

                                      39fab5c14e8d6539ae41ce54c93b968d5ca41ef0

                                      SHA256

                                      711c1a6a627efddb5a40b3fe571bb492b29fb925b8ac9a4ef9dcbedf59777c8d

                                      SHA512

                                      97eacca7362912e5476b19eec52b3b13fe550ad41a61079862af58330cd9cba372f47fc4323f016fcc4d838a6abb213f059ce569e580bb69ed2644de9895ca6a

                                    • C:\Users\Admin\AppData\Local\Temp\15ac2e50-90a3-4706-ab04-e8f19e109c41.vbs

                                      Filesize

                                      727B

                                      MD5

                                      75f0308a374ebd6979269d1ec30d8690

                                      SHA1

                                      f1a651d757960b9f222f42e3ccbee056228729fb

                                      SHA256

                                      304ff821a93f5651f61402d4cf29f4146d3fb0d7ca583c8f02b89e3c96d4a92f

                                      SHA512

                                      9fee4cddca8f2e84377f00ad5cc41236d5c3927756ceb7bfcaf84c143a05b3cc41b9579f75bc7026b2d8ba9c96f1c37d926c0645744b6318b1ca8666318378a8

                                    • C:\Users\Admin\AppData\Local\Temp\58ea90ce-a0a7-4118-b853-d2d8432dfb6d.vbs

                                      Filesize

                                      727B

                                      MD5

                                      7b5d365840707d152226667ef5d15379

                                      SHA1

                                      7d3b8664f8d462a95d5a2f0f24b29602d0e128fc

                                      SHA256

                                      36505821389e2ed3f3e83db507c65ca71d58d0dd0c9f737cdd02c9416ab5ec16

                                      SHA512

                                      3f483e0bd86e8af77a06a3021c6f0eac073e469579090c26773ee828178312950c5dacfc8d42b09772cd6f2a0c4fc8883afe9b5607d934cc5749ef2939497968

                                    • C:\Users\Admin\AppData\Local\Temp\856c19fe-0107-47eb-b61a-938733aaa35e.vbs

                                      Filesize

                                      727B

                                      MD5

                                      4fb0ad833d077f474071cbce674d9d37

                                      SHA1

                                      2fc15efcd1019287bd669966aa793c97c77bdc5a

                                      SHA256

                                      f24b280e0c5e5c517cd6e982b92458923247444248f3e9d4dcb1da839cf4384e

                                      SHA512

                                      ff7758d468474a2567d7bbb22e9ad58259b58f30566be1cc8d3add4cced17bf1c62bffe1984e82719237681c3a910183c48f43ceb764449be6331c9c785cda09

                                    • C:\Users\Admin\AppData\Local\Temp\8754e934-ef94-4704-9e44-a039a878f03a.vbs

                                      Filesize

                                      727B

                                      MD5

                                      b7ad240e8f8c8b8e99f44543d79e46e0

                                      SHA1

                                      f42d2770dfb7c688f9b1fa3bb4651c3989dbc9fe

                                      SHA256

                                      1d3792d86bad85f469685134bffc95d3a2e7dae9322d075ad8301d855eba58b3

                                      SHA512

                                      a184f5d0d7c5798b57cc4aacc8f7a2b9fb6bb056f2d3fa915297c53c5d52fa5c1f1eb19951effb4a96a46a19d42dfc74df1a4dcfd6893d31e30684a266dd5be1

                                    • C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat

                                      Filesize

                                      268B

                                      MD5

                                      4cb78e3ebdb03b51371698330711726f

                                      SHA1

                                      8a2101ccbf232510ed128b4b52d41c411318d9f7

                                      SHA256

                                      5cb03aac03b964b7209abb8649eae127b229db9962ef2d471d7c815deba8eefe

                                      SHA512

                                      195a60ec1f85adda4ffc48ebb29e0e3b1907b90cf0468b32d4c28adddc27187b0a8411127f0856f677712b9c184cd0bb30d8f0db1b54136f2ac622f5dc525312

                                    • C:\Users\Admin\AppData\Local\Temp\LEOgu8eF3a.bat

                                      Filesize

                                      268B

                                      MD5

                                      1979655435834f4ba222716e4e1fb31c

                                      SHA1

                                      318acbe6eabe169232ff0e24ff2c2d7a84f6d6c8

                                      SHA256

                                      0b22f506f9588f081e16003df228ca9838bf04886951c99498ba266a6d9e9ffb

                                      SHA512

                                      9f3acd770250431934ae3b8b7033a28ce354e3e58fb140f4c2d74da8c00491e80fd58c4460707de330bea706369dde622a3a491a3ab495f0517fb2d0ad46ab22

                                    • C:\Users\Admin\AppData\Local\Temp\bc323218-54a1-417d-b530-4fc56d9fe75d.vbs

                                      Filesize

                                      727B

                                      MD5

                                      749f9ed7eaa83862523b73c861a87290

                                      SHA1

                                      c01002654a66c81399b46201647ef141baa11d88

                                      SHA256

                                      8760cb90b24add4d3180ab7a59509d272ad5eb12ff1ff4de422011bffdadc47c

                                      SHA512

                                      28ecb2916afa0013cb18dbbfb13cb6e56975438831f28806287494777632bd9099f52b339cd439a23e1079610e8a758950376f5831698e84c0027c97778ec867

                                    • C:\Users\Admin\AppData\Local\Temp\cb31b9d1-c4bc-4797-8e43-58aa00845752.vbs

                                      Filesize

                                      727B

                                      MD5

                                      61c4967f2188e999f61f5806609eb734

                                      SHA1

                                      482017a0eb5b4fc2751b71b62ba8fa8043bf3afc

                                      SHA256

                                      a0b7cc120294b3f7c67bc57038c7c5f286b55bf7f8acaf1b32038cc1e0f5a735

                                      SHA512

                                      59b9dd3a6e3e081fad1a2635b9ef571b4bb55d2b658cbbdd201096a08cdfbb63ad80e9684391ab90b6891671cb333750707769863f3cd0b72c65d05d0e0fc702

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      c0bead43b0916879b4846463ca73734b

                                      SHA1

                                      72304d2ec95d1b62f334698f7de69e20b699beae

                                      SHA256

                                      905dc62707a3355854df46f3a09622dbdf4103dbba6e730b19533c94e5e48552

                                      SHA512

                                      dc815ef145b0682b67289c1f6e7744adcdd36d8cd412c696d867aa4176e6529bd793c7a76569e8173e2a2ae9641dd7572a5b8ba88ddaf4d4b103efef04b21b00

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      bbb7335eaac75cfb34f4e89debcf6935

                                      SHA1

                                      b7fd174455249c3fc4355b920678f8f44604fa91

                                      SHA256

                                      590965d1b2d3dc441733798eab709ad0624afc1074afdad3a5116a39de2627d2

                                      SHA512

                                      8216718789d9f5cc9a944a23a6bb2cbf247ad04fc24c4ee91b024cdfa275fa13c3cf0734d38c7639180d16e8b0b04e697c769a335859412161f85cb5247b9769

                                    • C:\Windows\PolicyDefinitions\System.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      9bc6e385c3ed07d8041688367cd4c950

                                      SHA1

                                      f33c82f203ce08807d5f4429e6f4c858ec8b8dc6

                                      SHA256

                                      33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bc

                                      SHA512

                                      57d183506d509d587a998e9a2069f3c0c8ef5cdeb31f8a8fbbfa280c120f5e373f9ff213081fea07f8fa1c55d2d95353cf7a78979703df5eb3a5602126b4e2ad

                                    • memory/668-183-0x0000000002290000-0x0000000002298000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/668-182-0x000000001B620000-0x000000001B902000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/1120-110-0x000000001B7A0000-0x000000001BA82000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/1540-5-0x0000000000390000-0x00000000003A0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1540-16-0x0000000000710000-0x000000000071C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1540-56-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/1540-20-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/1540-0-0x000007FEF5083000-0x000007FEF5084000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1540-17-0x00000000021E0000-0x00000000021EC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1540-1-0x00000000003B0000-0x0000000000570000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/1540-2-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/1540-3-0x0000000000360000-0x000000000037C000-memory.dmp

                                      Filesize

                                      112KB

                                    • memory/1540-11-0x00000000005B0000-0x00000000005C2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1540-15-0x0000000000700000-0x0000000000708000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1540-14-0x0000000000670000-0x000000000067E000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/1540-13-0x0000000000720000-0x000000000072A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1540-7-0x00000000003A0000-0x00000000003B0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1540-12-0x0000000000660000-0x000000000066C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1540-6-0x0000000000570000-0x0000000000586000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/1540-9-0x00000000005A0000-0x00000000005A8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1540-8-0x0000000000590000-0x000000000059C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1540-4-0x0000000000380000-0x0000000000388000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1796-230-0x00000000010C0000-0x0000000001280000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/1840-380-0x0000000001390000-0x0000000001550000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/1840-111-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1852-346-0x0000000001220000-0x00000000013E0000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2360-324-0x0000000000AA0000-0x0000000000C60000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2500-121-0x0000000000550000-0x0000000000562000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2500-120-0x0000000000E20000-0x0000000000FE0000-memory.dmp

                                      Filesize

                                      1.8MB

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.