Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 12:27

General

  • Target

    BoosterX.exe

  • Size

    8.6MB

  • MD5

    1ea4535c88b03713785f9303d4c522ae

  • SHA1

    ee34a528ff322c5034105b6c6eb97bf13c3567fb

  • SHA256

    00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546

  • SHA512

    3ed3cf5296e8126743945c35f76324db516b503aa3dd62984613b2e522cdd4618fa997f6e339592e4838c53d49ec9269a3ed3e5b7f89e4d7639415ab4c712f0d

  • SSDEEP

    196608:eSFFBadbelmNOxwuLlA1HeT39IigJ1ncKOVVtk7ZZtQcNP+P:l0Wmkqr1+TtIi00VQ/6Z

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 16 IoCs
  • Runs ping.exe 1 TTPs 11 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
    "C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
      "C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe -p1234
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe
          C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe -p1234
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:220
            • C:\MsComcomponentcrtSvc.sfx.exe
              MsComcomponentcrtSvc.sfx.exe -p1234
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\MsComcomponentcrtSvc.exe
                "C:\MsComcomponentcrtSvc.exe"
                7⤵
                • Modifies WinLogon for persistence
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2792
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.cmdline"
                  8⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1276
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA827.tmp" "c:\Windows\System32\CSCC5900AE748AE45B3A83EAC225EBFBAF7.TMP"
                    9⤵
                      PID:4092
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uRFxLXVm6V.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:860
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      9⤵
                        PID:2692
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        9⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2488
                      • C:\Program Files\Internet Explorer\services.exe
                        "C:\Program Files\Internet Explorer\services.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2148
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3012
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            11⤵
                              PID:1264
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              11⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2432
                            • C:\Program Files\Internet Explorer\services.exe
                              "C:\Program Files\Internet Explorer\services.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1836
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5048
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  13⤵
                                    PID:3988
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    13⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4032
                                  • C:\Program Files\Internet Explorer\services.exe
                                    "C:\Program Files\Internet Explorer\services.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1088
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4164
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        15⤵
                                          PID:5060
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          15⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3548
                                        • C:\Program Files\Internet Explorer\services.exe
                                          "C:\Program Files\Internet Explorer\services.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:4516
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2136
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              17⤵
                                                PID:3716
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                17⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:1076
                                              • C:\Program Files\Internet Explorer\services.exe
                                                "C:\Program Files\Internet Explorer\services.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:4672
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:944
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    19⤵
                                                      PID:3684
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      19⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:4312
                                                    • C:\Program Files\Internet Explorer\services.exe
                                                      "C:\Program Files\Internet Explorer\services.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1216
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat"
                                                        20⤵
                                                          PID:1020
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            21⤵
                                                              PID:3852
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              21⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:3988
                                                            • C:\Program Files\Internet Explorer\services.exe
                                                              "C:\Program Files\Internet Explorer\services.exe"
                                                              21⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2808
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat"
                                                                22⤵
                                                                  PID:4068
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    23⤵
                                                                      PID:4460
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      23⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:3036
                                                                    • C:\Program Files\Internet Explorer\services.exe
                                                                      "C:\Program Files\Internet Explorer\services.exe"
                                                                      23⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4304
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
                                                                        24⤵
                                                                          PID:1588
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            25⤵
                                                                              PID:2792
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:4472
                                                                              • C:\Program Files\Internet Explorer\services.exe
                                                                                "C:\Program Files\Internet Explorer\services.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4516
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat"
                                                                                  26⤵
                                                                                    PID:404
                                                                                    • C:\Windows\system32\chcp.com
                                                                                      chcp 65001
                                                                                      27⤵
                                                                                        PID:3948
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        27⤵
                                                                                          PID:1708
                                                                                        • C:\Program Files\Internet Explorer\services.exe
                                                                                          "C:\Program Files\Internet Explorer\services.exe"
                                                                                          27⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2388
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
                                                                                            28⤵
                                                                                              PID:2944
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                29⤵
                                                                                                  PID:4696
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  29⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1048
                                                                                                • C:\Program Files\Internet Explorer\services.exe
                                                                                                  "C:\Program Files\Internet Explorer\services.exe"
                                                                                                  29⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3816
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
                                                                                                    30⤵
                                                                                                      PID:3512
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        31⤵
                                                                                                          PID:4092
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          31⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:4760
                                                                                                        • C:\Program Files\Internet Explorer\services.exe
                                                                                                          "C:\Program Files\Internet Explorer\services.exe"
                                                                                                          31⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2524
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat"
                                                                                                            32⤵
                                                                                                              PID:1676
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                33⤵
                                                                                                                  PID:3952
                                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                  33⤵
                                                                                                                    PID:4676
                                                                                                                  • C:\Program Files\Internet Explorer\services.exe
                                                                                                                    "C:\Program Files\Internet Explorer\services.exe"
                                                                                                                    33⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:2764
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat"
                                                                                                                      34⤵
                                                                                                                        PID:3088
                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                          chcp 65001
                                                                                                                          35⤵
                                                                                                                            PID:3632
                                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                            35⤵
                                                                                                                              PID:2236
                                                                                                                            • C:\Program Files\Internet Explorer\services.exe
                                                                                                                              "C:\Program Files\Internet Explorer\services.exe"
                                                                                                                              35⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1944
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat"
                                                                                                                                36⤵
                                                                                                                                  PID:2184
                                                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                                                    chcp 65001
                                                                                                                                    37⤵
                                                                                                                                      PID:4380
                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                      37⤵
                                                                                                                                        PID:468
                                                                                                                                      • C:\Program Files\Internet Explorer\services.exe
                                                                                                                                        "C:\Program Files\Internet Explorer\services.exe"
                                                                                                                                        37⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Modifies registry class
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:4516
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XilJTboezA.bat"
                                                                                                                                          38⤵
                                                                                                                                            PID:5052
                                                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                                                              chcp 65001
                                                                                                                                              39⤵
                                                                                                                                                PID:2672
                                                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                                                ping -n 10 localhost
                                                                                                                                                39⤵
                                                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                • Runs ping.exe
                                                                                                                                                PID:4292
                                                                                                                                              • C:\Program Files\Internet Explorer\services.exe
                                                                                                                                                "C:\Program Files\Internet Explorer\services.exe"
                                                                                                                                                39⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:4456
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4596
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1596
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1836
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1696
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3320
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:912
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\services.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2696
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3988
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4032
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4956
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4876
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4420
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\unsecapp.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3192
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2468
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1412
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 13 /tr "'C:\MsComcomponentcrtSvc.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4772
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "MsComcomponentcrtSvc" /sc ONLOGON /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4296
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 8 /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4028

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\1.bat

                                                                    Filesize

                                                                    54B

                                                                    MD5

                                                                    36fe1d3b2cd265e64a4ca66dc061645b

                                                                    SHA1

                                                                    d5286bc0407f435aee8c54f381173104dacb5dae

                                                                    SHA256

                                                                    c581a6cfb2a124ffd64017fa6d7c486c688e78e9270e0ebc4276bab387a32c33

                                                                    SHA512

                                                                    7b034b171ba2aecaa018cff19ba78637ff84b6a46f5b8d7a01c7f52bf7aa527dab2e67e8c7e0d87193f472d13330fd6fe8effa95c999077dbddd2f154830c409

                                                                  • C:\MsComcomponentcrtSvc.exe

                                                                    Filesize

                                                                    1.8MB

                                                                    MD5

                                                                    9fe6c4565fcad250f0875d5034034e38

                                                                    SHA1

                                                                    e05adc73592b367590253e3d40c2556166cfe8c2

                                                                    SHA256

                                                                    2cd575fc5079bd2930e7cd0c3a3b648afaa59c7d271d72a94efb50bfb22cc63b

                                                                    SHA512

                                                                    26372d76d75ef4608f842dcceab52105cfa56cf070385e223accac9fc4a589eac6d2f0c6277908348e398e35251e2d18f03d47f96c188ada363e0655a6509d54

                                                                  • C:\MsComcomponentcrtSvc.sfx.exe

                                                                    Filesize

                                                                    1.8MB

                                                                    MD5

                                                                    f764835721fd3997c913edaa6e63cfe6

                                                                    SHA1

                                                                    7d87a6f24b36e680596cd417839804a48e9c7ae3

                                                                    SHA256

                                                                    95e1b829abd2b2974d7568420dd614a658d219aee4b660bb1fc3901c53ad9b7b

                                                                    SHA512

                                                                    1f7630a9acaa962f24c3fc5a867f5e9d47bdd78c3b582a5200ffef93051793d3de9ca67caca2b1888efe8b5719aacc2ccf4ad57b448ab82ecea86017035f2bf6

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    f8b2fca3a50771154571c11f1c53887b

                                                                    SHA1

                                                                    2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

                                                                    SHA256

                                                                    0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

                                                                    SHA512

                                                                    b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

                                                                  • C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat

                                                                    Filesize

                                                                    223B

                                                                    MD5

                                                                    3f45a4adbeee533df053b5f5df987434

                                                                    SHA1

                                                                    d9e3ea1c03b7820a1b36eb0e43b19bd04e24fe06

                                                                    SHA256

                                                                    48879de93fee91059d7ebdefc378414186ee7c4e5008897aa945b56b3169ed36

                                                                    SHA512

                                                                    a8e8dead161f07f7692a3239a0de758249a150e98fe55ad82a0b7fed3b86dd3a75eacab7e7b345cbcb96f4eafc54d4889e82df2d1edfa1de06f19cf85fcbee25

                                                                  • C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    8a4d659379df69b5b932ac7ca0c721f1

                                                                    SHA1

                                                                    a39ee0ff5ce65562adce25abd619b76c13fc74d5

                                                                    SHA256

                                                                    c432e33187c35207ce80e58595a1b4528f3a8506baf6ac5173e15335314dd51e

                                                                    SHA512

                                                                    ee16841d301dd3157353f1389260c7a33c6970b317088686cd925ecfeb41803ad07349b13c476eab69db58a1301c8ad6e5b6afdc313e528b3f8f18b59fe00966

                                                                  • C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat

                                                                    Filesize

                                                                    223B

                                                                    MD5

                                                                    b2d705c494f2701984a3c591634de52a

                                                                    SHA1

                                                                    0175333cca6f1d109963038ee8619a26a9697124

                                                                    SHA256

                                                                    78750d4c56215c383197fe803f5c1856ebf06c9019a644389b4aff700853c6a0

                                                                    SHA512

                                                                    17418da9bc24c7e957b9be47d8d57cf77b034812b0f797b1415cbe579481020a1e675deba7dc1c7f0b5daa3b8dd1a31933db627cb385f4a342cbbf8dd4fc5f2e

                                                                  • C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    8f2331804e780e35740b5c29ede46389

                                                                    SHA1

                                                                    02f3b76f28cb619398686acc34a4d2b32630b16d

                                                                    SHA256

                                                                    6d3b15c3c48863f74188d5efb5f4393b9358fc77935ed902ce83a608e249bebd

                                                                    SHA512

                                                                    b16353bc203d79723bb9a92ebcd1176d289ef8566f2ce2cd7dcda9c4dfaf1374981866580a1a69f3d14de556309dde055ec0aa15141258a570becd12052a04d0

                                                                  • C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    0b74c65d2b5ee4937306d075c99a53d5

                                                                    SHA1

                                                                    50d724d6d513d96ec417b3c804b1276df0b457ab

                                                                    SHA256

                                                                    b7345ef85464efc11280bc21df753e024f2fd897b063a274d920b1e7ac738aa2

                                                                    SHA512

                                                                    e40adad5a7b15c0b74e66ef7588034c53bec464ab2e63c8c6d0058d7cb95caea789298956311cbd350deccd37b2ca8f1da9effd2382984d72dad4132754b1788

                                                                  • C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat

                                                                    Filesize

                                                                    223B

                                                                    MD5

                                                                    114b7c6e429215b448fc784fae67a74f

                                                                    SHA1

                                                                    6d82cd6b3a8f2445987d8253b4347198059f26b9

                                                                    SHA256

                                                                    6894efdc9da7dc5acfd9bfc292f40b39032303ff5840572d49ae26bbae90bb16

                                                                    SHA512

                                                                    9f60a56278db60944d81537a0faf31e6b0ef5335b9f7362819c2acb0784d654dff807088732572db90d41df7220bea42158f484c9baeb5571f744fac73984853

                                                                  • C:\Users\Admin\AppData\Local\Temp\RESA827.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    79ecbdd8654338dfee5f1fa59144cb08

                                                                    SHA1

                                                                    146d2d119f4b28bc99a493ff5822c7d573ac73c0

                                                                    SHA256

                                                                    acd177c87a269381f9c18d41cecc83168d69de7cdfd72670fe0a150cc01ddd40

                                                                    SHA512

                                                                    2a96a63575508ced59d7f995a0ed09b5972d85944074a7a5dfeec28b10e629ce86c24471807aaf0f256515f047f0339a3c8f7cc64af275007436c6d621f23bb9

                                                                  • C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    8288df92fb12c4c7d34d4ef9cb5b1b8c

                                                                    SHA1

                                                                    002f54e53cc57bc40a47367cd9684825325830d9

                                                                    SHA256

                                                                    d86eb4538a0344609f756ad35232c974f470afbdf99418022acac0a465c1dd2a

                                                                    SHA512

                                                                    ac9280474fafe8f8d181d57548241d187668d909bde1e96e62f9d9f021129fe7d9fd40cb8dc0462c98e5b2f4721d2df70df517b813cca2bc9c8939bd31530220

                                                                  • C:\Users\Admin\AppData\Local\Temp\XilJTboezA.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    af958375d2a1ff7a61e8a342ca9f2e02

                                                                    SHA1

                                                                    c22427974da748ae37f039a49026615e9761efdd

                                                                    SHA256

                                                                    dc67dd18892e740781b1632c5e59b60229f34abce89c3169cd8b656dd746870b

                                                                    SHA512

                                                                    436c5e770245ce858d4346e37f44f889bd738dafbf00c6a2e8506b29c6ff34672b312d9b5406f6c4c6fb42f43779fa5d59c3c49b1ccf86ffb0da61dec6f443d0

                                                                  • C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    4f1f1c4492c671cbb5debfc033536ce6

                                                                    SHA1

                                                                    f9fe821fb1b794bbd0f808eb48dead9385ab507e

                                                                    SHA256

                                                                    be1686736ce101f15b5bfac3d0c21c0187f5bb317259a4db5b32f4751b7e8723

                                                                    SHA512

                                                                    17ea67d119f5dfcedbc36f0a58c654fe68dd0c5e682fe35e56a780a5d231014222995799852e7fbd9f935088777ca7de644ba380f5d6fc14bee59df7f218aeb7

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe

                                                                    Filesize

                                                                    2.0MB

                                                                    MD5

                                                                    07bca6291ca09ee9ae15ad2424063579

                                                                    SHA1

                                                                    b975e2cbb5ca257155d2bec47475e042c71dceb9

                                                                    SHA256

                                                                    b9d69b3ba71ed3b691ae0b455e3a84443be1aa026f563a9c04e3506b106595e5

                                                                    SHA512

                                                                    5b9f315f389eb3671b08c054e18fa13a1a2d2bb4f063168a621ae176214301ed6794d425445fa96d99474d58628abb7e787799363fabaf85392d8119ab1bf4a9

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dll

                                                                    Filesize

                                                                    116KB

                                                                    MD5

                                                                    be8dbe2dc77ebe7f88f910c61aec691a

                                                                    SHA1

                                                                    a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                    SHA256

                                                                    4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                    SHA512

                                                                    0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\_bz2.pyd

                                                                    Filesize

                                                                    83KB

                                                                    MD5

                                                                    5bebc32957922fe20e927d5c4637f100

                                                                    SHA1

                                                                    a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

                                                                    SHA256

                                                                    3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

                                                                    SHA512

                                                                    afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\_decimal.pyd

                                                                    Filesize

                                                                    251KB

                                                                    MD5

                                                                    492c0c36d8ed1b6ca2117869a09214da

                                                                    SHA1

                                                                    b741cae3e2c9954e726890292fa35034509ef0f6

                                                                    SHA256

                                                                    b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

                                                                    SHA512

                                                                    b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\_hashlib.pyd

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    da02cefd8151ecb83f697e3bd5280775

                                                                    SHA1

                                                                    1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

                                                                    SHA256

                                                                    fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

                                                                    SHA512

                                                                    a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\_lzma.pyd

                                                                    Filesize

                                                                    156KB

                                                                    MD5

                                                                    195defe58a7549117e06a57029079702

                                                                    SHA1

                                                                    3795b02803ca37f399d8883d30c0aa38ad77b5f2

                                                                    SHA256

                                                                    7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

                                                                    SHA512

                                                                    c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\_socket.pyd

                                                                    Filesize

                                                                    81KB

                                                                    MD5

                                                                    dd8ff2a3946b8e77264e3f0011d27704

                                                                    SHA1

                                                                    a2d84cfc4d6410b80eea4b25e8efc08498f78990

                                                                    SHA256

                                                                    b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

                                                                    SHA512

                                                                    958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\base_library.zip

                                                                    Filesize

                                                                    1.3MB

                                                                    MD5

                                                                    43935f81d0c08e8ab1dfe88d65af86d8

                                                                    SHA1

                                                                    abb6eae98264ee4209b81996c956a010ecf9159b

                                                                    SHA256

                                                                    c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

                                                                    SHA512

                                                                    06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\libcrypto-3.dll

                                                                    Filesize

                                                                    5.0MB

                                                                    MD5

                                                                    e547cf6d296a88f5b1c352c116df7c0c

                                                                    SHA1

                                                                    cafa14e0367f7c13ad140fd556f10f320a039783

                                                                    SHA256

                                                                    05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

                                                                    SHA512

                                                                    9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\python312.dll

                                                                    Filesize

                                                                    6.6MB

                                                                    MD5

                                                                    d521654d889666a0bc753320f071ef60

                                                                    SHA1

                                                                    5fd9b90c5d0527e53c199f94bad540c1e0985db6

                                                                    SHA256

                                                                    21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

                                                                    SHA512

                                                                    7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\select.pyd

                                                                    Filesize

                                                                    30KB

                                                                    MD5

                                                                    d0cc9fc9a0650ba00bd206720223493b

                                                                    SHA1

                                                                    295bc204e489572b74cc11801ed8590f808e1618

                                                                    SHA256

                                                                    411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

                                                                    SHA512

                                                                    d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI8202\unicodedata.pyd

                                                                    Filesize

                                                                    1.1MB

                                                                    MD5

                                                                    cc8142bedafdfaa50b26c6d07755c7a6

                                                                    SHA1

                                                                    0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

                                                                    SHA256

                                                                    bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

                                                                    SHA512

                                                                    c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

                                                                  • C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    fd8457312eb059100321e69d94390135

                                                                    SHA1

                                                                    e2d7e36ba9f9d833226c50ebf4f16853011fc0ff

                                                                    SHA256

                                                                    346898839f8f1320ea82f8bdbbbc8ed5cba1f1311a02c88a1a77bd82f12fc5a4

                                                                    SHA512

                                                                    3d893e4e7e7050db509c1c13fc92d29593eee1c265f0ed5f32d0d3948160e63bc30bfa31e8dda4a2bc86b0684e0f10dc44946c61a8a45a9f616a9725eaf28271

                                                                  • C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

                                                                    Filesize

                                                                    223B

                                                                    MD5

                                                                    9fbaffe81bfbd607c12a796424e3846a

                                                                    SHA1

                                                                    3ddfcc54ef402b0bba5bb100a83d6d2f7a4f8714

                                                                    SHA256

                                                                    22c54dbe75e7bc06c2be66d9d08d4bdce8e4bba51048e42822c5a2ae914c3695

                                                                    SHA512

                                                                    9d8baee8d887d9ce1613c1f349a66880ca623704110983bb95ae6498eabdea1ec0fb82589838882e8361e79e6e4b41eee6620c51ee0097b4a0f8592822ce27c4

                                                                  • C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    81e4ede0c7fe0defc328fbfce18943bc

                                                                    SHA1

                                                                    7189a0c49ff7be9c8e1087bcde3cb0f9829d4cd8

                                                                    SHA256

                                                                    f790828f8f9e63fb4ea4334ea093356642c4b60841e9e01780212407e3b10a2f

                                                                    SHA512

                                                                    9550bec9bc49df4af8ce83ddf44d766927f71d301d36dcb27c3fd6b2d50f0ba7ce69cf784fa1db9b4c888f206f641b18e34bd4d466354d0d61209f9a00580511

                                                                  • C:\Users\Admin\AppData\Local\Temp\uRFxLXVm6V.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    10fff664ae7a8c4286496f5e60c70545

                                                                    SHA1

                                                                    495e9e086e76fa71d1f8c513b4b145946f983162

                                                                    SHA256

                                                                    85e12733a9858c2fbf88ae07806c21c685035f44c0be48a10b1c22b795f10b2b

                                                                    SHA512

                                                                    a9ce84af780dff8d94e5a3d6aefe1cabd442bd7e5148c8551d0dccd40f96a5541499fd9b0ff6a5d9cd9ffe7994c284fff12c7cb6bc406a41842fb320eac590f7

                                                                  • C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat

                                                                    Filesize

                                                                    175B

                                                                    MD5

                                                                    6952bcb39c823226603f6b75c73213b5

                                                                    SHA1

                                                                    b78dd215abdb8a9bcca5bf555ed2d1c449b1807c

                                                                    SHA256

                                                                    6b35f70d1159c8c1afa039412a7e7eb63ffb829eef4ce6a70b49af2b1e66969b

                                                                    SHA512

                                                                    32d2a187e87a9c9dee39ad9ad17f0899a4ee86262a1022ec2dfc9a9fdb3e1fd508870f9f53ea07934acf1f092cf5b3aaa10be3bab401edc4f60b263133c3e109

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.0.cs

                                                                    Filesize

                                                                    388B

                                                                    MD5

                                                                    4a60cfa72496ad4c6cad2dc84649d61a

                                                                    SHA1

                                                                    8391cec7cb29081d4750ecfe535a71187fe2196a

                                                                    SHA256

                                                                    5e4505e85dc7d08352da15909b6b621b90aa94eeb9bef94cc498fd975cd4b2ff

                                                                    SHA512

                                                                    7588edf5251e3027d6b5d57df00f67c04fe4ecefb02928e9ebd882f01d1500362d3c8c383d90f1c4a1f0a51feec532dd29cb9a9fb20993569aae642ceb902d95

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.cmdline

                                                                    Filesize

                                                                    235B

                                                                    MD5

                                                                    ab1eab60c7fe721a3764ff4744de45a4

                                                                    SHA1

                                                                    d42a0a96ad9414f071c7b3c03145d1eb385985ba

                                                                    SHA256

                                                                    c146c4b67044cc9a0f760822bf91a3f60e1a49e9b25b2fe64492e033846553fe

                                                                    SHA512

                                                                    f24b3fac34e7d80c97e33697ef41c60ee17f6d4fa2418dd6d864bbb8d7b9bf769dcab59d5372fbeb8cb23d7c586264f900f476749cc43192d70ac3414de51a34

                                                                  • \??\c:\Windows\System32\CSCC5900AE748AE45B3A83EAC225EBFBAF7.TMP

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    7bbfaf1199741b237d2493615c95c6d7

                                                                    SHA1

                                                                    86d466217c4dc1e0808f83ceda8f4b4df948b5dc

                                                                    SHA256

                                                                    e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

                                                                    SHA512

                                                                    2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

                                                                  • memory/2792-51-0x0000000001440000-0x000000000144E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/2792-49-0x0000000000B40000-0x0000000000D12000-memory.dmp

                                                                    Filesize

                                                                    1.8MB

                                                                  • memory/2792-53-0x000000001BC90000-0x000000001BCAC000-memory.dmp

                                                                    Filesize

                                                                    112KB

                                                                  • memory/2792-54-0x000000001BD00000-0x000000001BD50000-memory.dmp

                                                                    Filesize

                                                                    320KB

                                                                  • memory/2792-56-0x000000001BCB0000-0x000000001BCC8000-memory.dmp

                                                                    Filesize

                                                                    96KB