Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 02:04

General

  • Target

    076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe

  • Size

    2.2MB

  • MD5

    be4ae5e0b545e43608ae6a60ce297871

  • SHA1

    ded512ee44ed38b7a6541b4e1d797387a27a5d93

  • SHA256

    076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533

  • SHA512

    45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3

  • SSDEEP

    24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 15 IoCs
  • Runs ping.exe 1 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe
    "C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\msportComWin\BridgePortsurrogateserverref.exe
          "C:\msportComWin/BridgePortsurrogateserverref.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zqp3myp\2zqp3myp.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2076
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp" "c:\Windows\System32\CSCFA575140291A4ADF8C8B4E814312586E.TMP"
              6⤵
                PID:3924
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1560
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1292
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1200
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4256
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4676
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2272
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2964
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2140
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\dwm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3476
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\csrss.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4552
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3736
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFGbDNzCnz.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:232
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:5484
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5904
                • C:\msportComWin\BridgePortsurrogateserverref.exe
                  "C:\msportComWin\BridgePortsurrogateserverref.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5508
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3268
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:5496
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:980
                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2564
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aqn4VxW4jp.bat"
                          9⤵
                            PID:5960
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              10⤵
                                PID:5976
                              • C:\Windows\system32\PING.EXE
                                ping -n 10 localhost
                                10⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:5812
                              • C:\msportComWin\BridgePortsurrogateserverref.exe
                                "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                10⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6000
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat"
                                  11⤵
                                    PID:3684
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      12⤵
                                        PID:3712
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        12⤵
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        • Runs ping.exe
                                        PID:1296
                                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                        12⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3336
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat"
                                          13⤵
                                            PID:4744
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              14⤵
                                                PID:3716
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                14⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:1644
                                              • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                14⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:6048
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"
                                                  15⤵
                                                    PID:4800
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      16⤵
                                                        PID:1744
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        16⤵
                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                        • Runs ping.exe
                                                        PID:2500
                                                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                        16⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5212
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat"
                                                          17⤵
                                                            PID:6136
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              18⤵
                                                                PID:1436
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:5244
                                                                • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                  "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                  18⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5504
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat"
                                                                    19⤵
                                                                      PID:212
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        20⤵
                                                                          PID:3252
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          20⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4956
                                                                        • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                          "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                          20⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4416
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
                                                                            21⤵
                                                                              PID:5976
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                22⤵
                                                                                  PID:2276
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  22⤵
                                                                                    PID:4936
                                                                                  • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                    "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                    22⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3652
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
                                                                                      23⤵
                                                                                        PID:4736
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          24⤵
                                                                                            PID:5644
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            24⤵
                                                                                              PID:5716
                                                                                            • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                              "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                              24⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1984
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat"
                                                                                                25⤵
                                                                                                  PID:3000
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    26⤵
                                                                                                      PID:3104
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      26⤵
                                                                                                        PID:6068
                                                                                                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                                        26⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3336
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
                                                                                                          27⤵
                                                                                                            PID:1808
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              28⤵
                                                                                                                PID:6080
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                28⤵
                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                • Runs ping.exe
                                                                                                                PID:4016
                                                                                                              • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                                                "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                                                28⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:4884
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"
                                                                                                                  29⤵
                                                                                                                    PID:5176
                                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                                      chcp 65001
                                                                                                                      30⤵
                                                                                                                        PID:3248
                                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                                        ping -n 10 localhost
                                                                                                                        30⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        • Runs ping.exe
                                                                                                                        PID:4148
                                                                                                                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                                                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                                                        30⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:5552
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
                                                                                                                          31⤵
                                                                                                                            PID:3536
                                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                                              chcp 65001
                                                                                                                              32⤵
                                                                                                                                PID:3640
                                                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                32⤵
                                                                                                                                  PID:2256
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:952
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2904
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:692
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:848
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4812
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4104
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\dwm.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:5032
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\dwm.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:636
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\dwm.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1232
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3012
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3096
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3076
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\msportComWin\csrss.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4324
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\msportComWin\csrss.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4360
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\msportComWin\csrss.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2252
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 8 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4092
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "BridgePortsurrogateserverref" /sc ONLOGON /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4644
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 5 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4584

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BridgePortsurrogateserverref.exe.log

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    af6acd95d59de87c04642509c30e81c1

                                                                    SHA1

                                                                    f9549ae93fdb0a5861a79a08f60aa81c4b32377b

                                                                    SHA256

                                                                    7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

                                                                    SHA512

                                                                    93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                    SHA1

                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                    SHA256

                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                    SHA512

                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    77d622bb1a5b250869a3238b9bc1402b

                                                                    SHA1

                                                                    d47f4003c2554b9dfc4c16f22460b331886b191b

                                                                    SHA256

                                                                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                                    SHA512

                                                                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    6d42b6da621e8df5674e26b799c8e2aa

                                                                    SHA1

                                                                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                                    SHA256

                                                                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                                    SHA512

                                                                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    2e907f77659a6601fcc408274894da2e

                                                                    SHA1

                                                                    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                    SHA256

                                                                    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                    SHA512

                                                                    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    5f0ddc7f3691c81ee14d17b419ba220d

                                                                    SHA1

                                                                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                                    SHA256

                                                                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                                    SHA512

                                                                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    cadef9abd087803c630df65264a6c81c

                                                                    SHA1

                                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                    SHA256

                                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                    SHA512

                                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    59d97011e091004eaffb9816aa0b9abd

                                                                    SHA1

                                                                    1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                                    SHA256

                                                                    18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                                    SHA512

                                                                    d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                    SHA1

                                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                    SHA256

                                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                    SHA512

                                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Filesize

                                                                    64B

                                                                    MD5

                                                                    7e6fdff3e0906e5768bd9d1aaf79e7c6

                                                                    SHA1

                                                                    e39e8876af795de368317df21434a776aaf08739

                                                                    SHA256

                                                                    d2d0a34b64ca5fd333ac94e141b79473dae5d2aa55affeaf0d7fc4c0a1f46e2c

                                                                    SHA512

                                                                    e0232e4c521b0b36812ca369823b955dc71915a738e1c4c442b1d252da6319b9a2313b9e5db936fc83a7db70c8d120a1335323d26034db07dc91f6a6d13d70a4

                                                                  • C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    2d92e66903ff4d43f924dc3417cef554

                                                                    SHA1

                                                                    9d53d99c8ac5cdf4889d6a263d7b6751a79471e7

                                                                    SHA256

                                                                    c7cea9ee88c03ab71c7cca5802fa8696a018064d1dbcb4722677f52113b88e59

                                                                    SHA512

                                                                    4506ad131fbc9f14db5e4df367ffc8eac21bff61f72a4d25d7e13a99de484e0c7b42855490c74cb4cd7230643f85d347c34ae44c55f904d7ed630ca1263790a4

                                                                  • C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    1d7762ced4de8bafb0121f2c05721ea9

                                                                    SHA1

                                                                    3d66579410364037b283b15485872b8900f3bca0

                                                                    SHA256

                                                                    7e0a41b203fd20ed16a25c0141b19f5059ef432148c6faf31bb9bdc5b2a95035

                                                                    SHA512

                                                                    383c3cbd5a2657f6e96b9845d2e5a4ec4ab3c8d9a5ee21b84bc732e72dd01f80f3031ceeee5aae6ee2374f6d350cad66977bd2aeca288a247d42cfd5a3e6a589

                                                                  • C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    2dec09a7b2cd847a85817b676f43e6d0

                                                                    SHA1

                                                                    4c0e5835e399e8fb4bd332c96d2e87d0dd0ce4a0

                                                                    SHA256

                                                                    0139842a0a2fcd0b4078aa939ec761d50353f675e719e243d15f815be6be3d84

                                                                    SHA512

                                                                    2cc79a7065678f9db3414fe797a7622691467c9cca5f7ce32000e24141dd2565d7ed6befc2a19ced736a9091346bebd0c67873ed1de4a065a8d62f190c98b694

                                                                  • C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat

                                                                    Filesize

                                                                    224B

                                                                    MD5

                                                                    a1fadf7625cd5b168758b9feccdaef8e

                                                                    SHA1

                                                                    0e57f173399b2653cb1738543522e2639ed9a391

                                                                    SHA256

                                                                    c40a85f404a4a091d0da06dae99829fcd70a5bf0c224d2a72364b2f9e271b517

                                                                    SHA512

                                                                    dc75955a05984adfb8d1eb8475af89deb03b0a2c2b731407165f79d803a05ee90a0b69bbc7c034fb82414c2b17593163c1d30e9a52ad56b8b34f61c86bbeb08b

                                                                  • C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    c4b20ab430befafcd819d05b5c2a1ea3

                                                                    SHA1

                                                                    234794c064b007b056a8a3f5c605ee66284f8fb5

                                                                    SHA256

                                                                    a90c339ee3c13de139906b62d5a6b9d23726fa94b51ceed0c609a7bf004e68ff

                                                                    SHA512

                                                                    a4c04f65216bf79ce4cbcf4413d8554fa63f6800e2c2e580cd1301d985617fb6da11627452fd896d0a574bb9a2c3316f0ce6386d0b56e0dc24ba37b4fc198e45

                                                                  • C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    827f30ba869a19b4aa19df274f1e4fc7

                                                                    SHA1

                                                                    4b28d505fc31233bddb2b3006b0031c3123862f7

                                                                    SHA256

                                                                    f2eaa90921bf113963d409b5d0c05af0d3c04f6c8752546e5fc4afcc5c45a159

                                                                    SHA512

                                                                    2989ad2ae7686d6972ffaba1f0582d5ac9adb6d2665e2a5b00d871779a614a4ef10fea5e5bb83801f09d198a7e7b61efda0aee050dae3e20778e2c70485555ef

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnqlab2l.aal.ps1

                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                  • C:\Users\Admin\AppData\Local\Temp\aqn4VxW4jp.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    583897510c8dda9849afd41991788130

                                                                    SHA1

                                                                    14fae7a773927307366b19e38fc14fea7953ff8c

                                                                    SHA256

                                                                    5c66fd9354a081da66ff2222970a6906fdea3a74e43b0ec702179a11e403b10c

                                                                    SHA512

                                                                    083f48f34108598f0e1e4cec1898336b34717884cb6a085136890b4444a21d0651bce45aa89a0487328eb90acd7d6e77822c0fba1b1601ce0a06fdb5c085571e

                                                                  • C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat

                                                                    Filesize

                                                                    224B

                                                                    MD5

                                                                    e925089b54e3a1e966c3a19698dc124d

                                                                    SHA1

                                                                    ff8684f0f2d356807fbbf681576c060c1085789a

                                                                    SHA256

                                                                    909ff0a29207aad049a77bdc139ba935036adf6f1a4d3ce75c60658fa5e58fd5

                                                                    SHA512

                                                                    dbd96b7837d7968495ee4ef75f1747a1790ae1c620d3ce97cc02645defdecb2296fa0a31883d3189196fd36347d30e1fb0f701a11698e2b724a444fb40a00bd6

                                                                  • C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    36d2e13291f633423fbf7148b0308e76

                                                                    SHA1

                                                                    5ab26b610f7faeecdebe69ed70984d2ef279efc4

                                                                    SHA256

                                                                    a3646f993a431fe7784945762d6522aa19e4c5f94c2288be60ffe8e0b286f5c1

                                                                    SHA512

                                                                    04d3c02f1236d1f57e859ba89b7c83f5ee1fab70e986237a94ce53d943ddfeb956619b32507d147bc99dd0e6f9aecdb7281cdfc28ecf4f786c185e3fe5fcf053

                                                                  • C:\Users\Admin\AppData\Local\Temp\pFGbDNzCnz.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    ecbaeeb749d539d19344c09a8fa9c1d7

                                                                    SHA1

                                                                    f70cfc572cb3545b6b4b4b9e8741909094e1c0f1

                                                                    SHA256

                                                                    e02ff8251b9610d571a2efd5dc1d814f3c69b7808ef885537b9f346d0b676fb3

                                                                    SHA512

                                                                    369ee4fbdd2107ac3956365c1b0198f4a4c16f451fded61643554a8ea050fdc29efa08645c4e32f9b60b163a56bfd9729470d04fa7b026829d2d2293a1c4f7fb

                                                                  • C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat

                                                                    Filesize

                                                                    176B

                                                                    MD5

                                                                    f8e937abf5d3af2eb9a9661f111bef5b

                                                                    SHA1

                                                                    761b1dce74522e6081bc7dba69a733697d6e66b5

                                                                    SHA256

                                                                    0c970743938f8795834fdbdc1e9a26500e7d9cf75ae76fc0e2675deb67431b58

                                                                    SHA512

                                                                    50e628fbd0a6c02e0db715408f6860cb9c99c6d13490aaf2424cea695c1572b78821e8684660c0d7f44543cbf8c2a2686081861beffa49e5f3d4ff7a7a0339f6

                                                                  • C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat

                                                                    Filesize

                                                                    114B

                                                                    MD5

                                                                    ec4930435249e865ec0910b90ce34010

                                                                    SHA1

                                                                    e00242ba6b91abe0291ee6c003c7cda9f280a20c

                                                                    SHA256

                                                                    aecaccc8288e076efa186171eab1ce946b8c0438e607f00a442b04e1e080dfbb

                                                                    SHA512

                                                                    f1bb3a20bd279b62b94349d253b64a4bb9227fa214785e265b5f5457a552bddb141faea48109ed80a6d77f34c8ba68fd2911daa178893daee52259e89a6b80aa

                                                                  • C:\msportComWin\BridgePortsurrogateserverref.exe

                                                                    Filesize

                                                                    1.9MB

                                                                    MD5

                                                                    5f80a11e82cc7495cf5ad7df3d052721

                                                                    SHA1

                                                                    3a20eb31195a97cf5da7d3c20c1b8c4913b95a13

                                                                    SHA256

                                                                    851aa5f3636700f9bb71a4c0d040255f19871ba306f87d9f66b39f3b207ec15b

                                                                    SHA512

                                                                    7acdd2a4f5170212beabeba86dcb7a6be74c4c83815db3bb328d6541f6a259ec3c6ff469f103eb125163371f103ae3060404e1c34622f2d4d9cb34d2cc7b3c0d

                                                                  • C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe

                                                                    Filesize

                                                                    248B

                                                                    MD5

                                                                    528d2d62b3a0a43e28f6c5bc9e59fb49

                                                                    SHA1

                                                                    b8347b3f11fdb951bf4c930bef813180c42f98c1

                                                                    SHA256

                                                                    9d271ddb2a3de2347db1800f94865bab4758e8f89760f7f0fc6368eb14a9597b

                                                                    SHA512

                                                                    a208e41f97a080ab5550632daa10ac7d4d43ca603207406df14e749765662089f38ff52feced3083dbcb08daa2821e9fc6df511fa1a1f18b4b9e8e38f68fa171

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\2zqp3myp\2zqp3myp.0.cs

                                                                    Filesize

                                                                    380B

                                                                    MD5

                                                                    8662a1d53b912bd9b5e23f7670363ec2

                                                                    SHA1

                                                                    d28476b949e58b4388ba65b077524b1e758cb4ca

                                                                    SHA256

                                                                    c54055a7ae365e817943c9caf2d79671466d7a87ecb93018ab5771f4b6c1ea48

                                                                    SHA512

                                                                    aca91b4f7f83b7fe4ec423906dc84c17d313bb06a74ecb875dc8b5ecaacbfd1244ec253040b7a09f4c6c7bdc385cc8bfa2586b67f68cc5b4cc13b58d61867e7b

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\2zqp3myp\2zqp3myp.cmdline

                                                                    Filesize

                                                                    235B

                                                                    MD5

                                                                    8e47419723d5471841472e0d6692b4ee

                                                                    SHA1

                                                                    f8da0df1fc8aa26dc1bd24a608fee2331a958018

                                                                    SHA256

                                                                    637a5654a5982260bc80876689decc165b3f25b028f3db404f00e4e98321e02a

                                                                    SHA512

                                                                    e20bf2ba8da4358db47c9684023207f3427040442bdff002fcd94214d73762673adc934d54411188d42c9bc43cd28201904d1c5e08d1283e237645e527f7ce7c

                                                                  • \??\c:\Windows\System32\CSCFA575140291A4ADF8C8B4E814312586E.TMP

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    034b083b6729ade0b138a24cbdd66c6d

                                                                    SHA1

                                                                    299c5a9dd91498cfc4226a5fe6d52ea633c2d148

                                                                    SHA256

                                                                    8e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2

                                                                    SHA512

                                                                    43f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3

                                                                  • memory/2080-26-0x000000001AEC0000-0x000000001AECC000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                  • memory/2080-22-0x000000001AD50000-0x000000001AD5E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/2080-20-0x000000001AEA0000-0x000000001AEB8000-memory.dmp

                                                                    Filesize

                                                                    96KB

                                                                  • memory/2080-18-0x000000001AEF0000-0x000000001AF40000-memory.dmp

                                                                    Filesize

                                                                    320KB

                                                                  • memory/2080-17-0x000000001AE80000-0x000000001AE9C000-memory.dmp

                                                                    Filesize

                                                                    112KB

                                                                  • memory/2080-15-0x000000001AD00000-0x000000001AD0E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/2080-13-0x0000000000060000-0x0000000000250000-memory.dmp

                                                                    Filesize

                                                                    1.9MB

                                                                  • memory/2080-12-0x00007FFB67663000-0x00007FFB67665000-memory.dmp

                                                                    Filesize

                                                                    8KB

                                                                  • memory/2080-24-0x000000001AD60000-0x000000001AD6E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/2564-281-0x000000001BE90000-0x000000001BFFA000-memory.dmp

                                                                    Filesize

                                                                    1.4MB

                                                                  • memory/4132-60-0x0000014748620000-0x0000014748642000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                  • memory/5508-268-0x000000001BF20000-0x000000001C08A000-memory.dmp

                                                                    Filesize

                                                                    1.4MB