Overview

overview

10

Static

static

10

e64b687735...eb.exe

windows7-x64

8

e64b687735...eb.exe

windows10-2004-x64

8

e65dc6f84e...10.exe

windows7-x64

10

e65dc6f84e...10.exe

windows10-2004-x64

10

e67e28bf49...ac.exe

windows7-x64

10

e67e28bf49...ac.exe

windows10-2004-x64

10

e699919d5d...ad.exe

windows7-x64

3

e699919d5d...ad.exe

windows10-2004-x64

3

e70b65e1d8...21.exe

windows7-x64

10

e70b65e1d8...21.exe

windows10-2004-x64

10

e7193d3473...84.exe

windows7-x64

10

e7193d3473...84.exe

windows10-2004-x64

10

e740e379c5...b9.exe

windows7-x64

10

e740e379c5...b9.exe

windows10-2004-x64

10

e751c36e12...39.exe

windows7-x64

1

e751c36e12...39.exe

windows10-2004-x64

1

e7573bcf85...a1.exe

windows7-x64

7

e7573bcf85...a1.exe

windows10-2004-x64

7

e787228874...9b.exe

windows7-x64

10

e787228874...9b.exe

windows10-2004-x64

10

e80000db8c...4b.exe

windows7-x64

10

e80000db8c...4b.exe

windows10-2004-x64

10

e82aaf456a...e7.exe

windows7-x64

10

e82aaf456a...e7.exe

windows10-2004-x64

10

e864953c3a...53.exe

windows7-x64

10

e864953c3a...53.exe

windows10-2004-x64

10

e8686658e2...12.exe

windows7-x64

3

e8686658e2...12.exe

windows10-2004-x64

3

e8add32344...f4.exe

windows7-x64

10

e8add32344...f4.exe

windows10-2004-x64

10

e8cdbe10bd...14.exe

windows7-x64

10

e8cdbe10bd...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e864953c3a95b063ace86177e1914753.exe

  • Size

    5.9MB

  • MD5

    e864953c3a95b063ace86177e1914753

  • SHA1

    472bc71ef2e9c06ff3271fc0623f79a95ed2fe93

  • SHA256

    d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9

  • SHA512

    f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435

  • SSDEEP

    98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4J:hyeU11Rvqmu8TWKnF6N/1wo

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 18 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 18 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe
    "C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6016
    • C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe
      "C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6r4pisGLtF.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:448
          • C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe
            "C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2376
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2140
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2248
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2480
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4716
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2096
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2052
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5164
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1708
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat"
              5⤵
                PID:5400
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4564
                  • C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe
                    "C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe"
                    6⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:5212
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd81d2f-ad2f-4c2c-83c0-24f8767add98.vbs"
                      7⤵
                        PID:4860
                        • C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe
                          C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe
                          8⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:384
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8779c8-0953-4746-badb-7d24265a48c2.vbs"
                            9⤵
                              PID:2740
                              • C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe
                                C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe
                                10⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2784
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf63d56e-b0cd-4911-8279-74adbc3c9656.vbs"
                                  11⤵
                                    PID:1768
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa257211-3dc4-4a43-ba8a-c0596c593249.vbs"
                                    11⤵
                                      PID:5084
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3bd5a56-b050-4def-93b5-ffa4b5c5a7dd.vbs"
                                  9⤵
                                    PID:1380
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b79c721-014f-4191-b4b1-6625c92a4d6b.vbs"
                                7⤵
                                  PID:4700
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4508
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4536
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3548
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5820
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4188
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4368
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\unsecapp.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5568
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Tasks\unsecapp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1032
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\unsecapp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4496
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4736
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4824
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4844
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4616
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4772
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4996
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4344_533282869\sppsvc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1216
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4344_533282869\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4948
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4344_533282869\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4956
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753e" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\e864953c3a95b063ace86177e1914753.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3036
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\e864953c3a95b063ace86177e1914753.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1864
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753e" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\e864953c3a95b063ace86177e1914753.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3952
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3432
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1268
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5304
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5420
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5480
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3456
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5152
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2876
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1032
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\smss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4984
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3572
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1452
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2636
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2752
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4200
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4344_1101633263\winlogon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3840
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4344_1101633263\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:220
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4344_1101633263\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3308
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2004
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2372
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2840

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
                      Filesize

                      5.9MB

                      MD5

                      e864953c3a95b063ace86177e1914753

                      SHA1

                      472bc71ef2e9c06ff3271fc0623f79a95ed2fe93

                      SHA256

                      d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9

                      SHA512

                      f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435

                      Download Submit

                    • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe
                      Filesize

                      5.9MB

                      MD5

                      80f4b332ba051ea28d98bbf17ccc4722

                      SHA1

                      ce3957b773765c25009eba50ede517bdfd25ff23

                      SHA256

                      080cc9b13183d93a5fcf7676c2ee40f7140c5c11ab5461fb1748c40493cc4a8d

                      SHA512

                      a6d7f2e360b05fcb2f42e48b620dcc26afe822b9df4b35784236e45990f20a499b28a7106e81d3b7e43e040647854723380f68cbe3155756f2d41ff735795b8c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log
                      Filesize

                      1KB

                      MD5

                      229da4b4256a6a948830de7ee5f9b298

                      SHA1

                      8118b8ddc115689ca9dc2fe8c244350333c5ba8b

                      SHA256

                      3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

                      SHA512

                      3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e864953c3a95b063ace86177e1914753.exe.log
                      Filesize

                      1KB

                      MD5

                      612072f28dae34eb75a144057666a2ba

                      SHA1

                      3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

                      SHA256

                      ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

                      SHA512

                      b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      681e61532ff712d8340986e1c9913ef5

                      SHA1

                      84a8edb57465d211a98980b5788c18a2584edcdf

                      SHA256

                      d6bd79a01f6f2501487a2e7cad738bd2fb6ee772191a79d15cad1b995bcdb66a

                      SHA512

                      26822d15d1c676fe6f59470b828b783751187947a22f2e0baded0629473f78e33f3c048e0bc3548e1e4ad817fadac968a91dca1f1231433204df0b5ead03462f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      acb0e0db180c73954955309f90c91376

                      SHA1

                      c27f2c17cfa4fd4a92174eb548aacf6606814cf4

                      SHA256

                      10c4266a001dde473f229f0ad24a3ba938d703f7c80debe52f6f49d3441cc849

                      SHA512

                      6fffb653f2da467d9d0cec17d2a39c6bd89321c5193a093547f20af70f7f74800045273860165543779a9298c9bbace104f8710bc1557ff9a31d6cbec3a298fc

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      4552709998d20ebebb7d79b1e2caba85

                      SHA1

                      a136173b2c02a5c678afbfb05d859dcf7fce5e73

                      SHA256

                      e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

                      SHA512

                      53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      9ec1de5af22ee94e2a00a91da98957bd

                      SHA1

                      0ade5098be757a47adb6d5d0dbf576bcf41d6253

                      SHA256

                      540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

                      SHA512

                      8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      7cd541695b3cebb31ad4b3e131bfb4d5

                      SHA1

                      16d8085de66ff920f6028c282afb3183bed8865a

                      SHA256

                      dc0ae36677b455e1b5c66859b5b2cac1b3a29aabd281f52ac682cc4b99b84fe3

                      SHA512

                      f90fa2d9c231a0a00579deafce7b74c2f043485d560c4377c2591a37dad4c79638b30025adb896107a3cb9b5f21f24289f1fe1f3bb73dcd16e346ab95b7bd56f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      2d06ce10e4e5b9e174b5ebbdad300fad

                      SHA1

                      bcc1c231e22238cef02ae25331320060ada2f131

                      SHA256

                      87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

                      SHA512

                      38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      085e0a3b869f290afea5688a8ac4e7c5

                      SHA1

                      0fedef5057708908bcca9e7572be8f46cef4f3ca

                      SHA256

                      1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

                      SHA512

                      bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      a9a7f35c006bbf5da72f9cb250ffbddb

                      SHA1

                      458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

                      SHA256

                      a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

                      SHA512

                      d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      145039ee65251da29aa337556cab6c61

                      SHA1

                      5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

                      SHA256

                      26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

                      SHA512

                      d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      d3e8199b4634731cf0a0c26c1f14f588

                      SHA1

                      7f8fae27eb80055a436a6b5457978f32673d9ad4

                      SHA256

                      ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

                      SHA512

                      806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      e3898d01727158944b6574f7ab56b17e

                      SHA1

                      2f435ca2f65cafed4e3fc2759dbc7634c0f6c57b

                      SHA256

                      1810c08a4e6a93c8565059055fbf4b8f67409ab6271ae5664f2b3fd2b22fa645

                      SHA512

                      5a7a3a48c2ac25eee945fa28660fe57d94de3a2374ecd15ef2220db95f8ee833b23302806487f5d7e9378da628a21d089bbe80c9d962df7935162112faef03bb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      dd0716df5ff6e2ed8bfa08e271d64dd8

                      SHA1

                      c342bbe936058ea27843d5dbe5eb434f926612f7

                      SHA256

                      15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

                      SHA512

                      7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      6019bc03fe1dc3367a67c76d08b55399

                      SHA1

                      3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

                      SHA256

                      7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

                      SHA512

                      6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      3c625954a51c4bbd8141206b00f6fc0a

                      SHA1

                      4128cb2f9d2984844e303e2e330e448334e5c273

                      SHA256

                      952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                      SHA512

                      3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      64B

                      MD5

                      e22899c92245a561afa0953d27ab8bbd

                      SHA1

                      01a429418fe4bb3bc422f815641f6b52c3edf915

                      SHA256

                      d302efdf3a8d5956f127fc501dfbe83574b14c3c51cba5a77b17bcb947a13c2a

                      SHA512

                      339b858c8b3f20fe942443a74169d840677b0e4d603b1957222dcb313c059f4a72f8ae9cb3d636ad7719ad2c9046a7bbeea843e65a83d4da39540719cce0c46a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\3bd81d2f-ad2f-4c2c-83c0-24f8767add98.vbs
                      Filesize

                      721B

                      MD5

                      1d24cba92dc3410f1436bc16279c8c7d

                      SHA1

                      562bf069198fcdd7ab822c2b10e764d955c885bd

                      SHA256

                      d1f31185fb5ff24e77240354a1df446ae083a6494308d3641f20c2195abdaa9b

                      SHA512

                      fb57218039e6c75be0cd57f1ca488c3fd58da541b293d9a182a70cbd448de238c2183cc2ae523834c42ac73497bd78b81bce83a149d0a7455420bfb82dc84c2b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\6r4pisGLtF.bat
                      Filesize

                      235B

                      MD5

                      e480686199a38b16587bd4bf1905af0b

                      SHA1

                      6349019c318ad367d4c80c3727d55e83064379bc

                      SHA256

                      f0b0368b4cda5bb4cb4a32c7f8071674e9274ad9bc2723b0677b3dddb7b31e9b

                      SHA512

                      65b61b79a3f44ad2a9be0443e71191d5cb359bf7802315a923808b40b14541081b8ef2554364f573d01e717fd4b159795ab8ee5e95440ad7d4d56b5c39b1e92a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\7b8779c8-0953-4746-badb-7d24265a48c2.vbs
                      Filesize

                      720B

                      MD5

                      d98670a36b25fb3ac600be65aa8b848b

                      SHA1

                      78c4e8480b1a6fe63c832f2af4161056090c8549

                      SHA256

                      edb6c31885fd874a1fda4b5d38cd87fc18657224b851489f8e8f4ebf4ed05e37

                      SHA512

                      fac8b39c50f865843af1a1933ef5dadbb45183806c88e229a577b7cab76c49e8576351b0d9831aca217e18cd0075e7458c09763778b6241cf44971d1210f386e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\8b79c721-014f-4191-b4b1-6625c92a4d6b.vbs
                      Filesize

                      497B

                      MD5

                      d160da6d8ffb31692d10a7bd59db6072

                      SHA1

                      804cf60b307730fc5d0062c2af16143736c561f7

                      SHA256

                      d0a7a5ff6cc16c6b55330351a50c9aa75be22f4d18f9cfbbe5b56446c5aafbb2

                      SHA512

                      13d7fd12f0b65694a9f29d8c490960fd933fa155ce6d27fd94243da49ebfdcdd3f7051f54907166d59e3e579b3738e5403ecd913496b82f4ffb28ee30bd82e08

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pji41alv.0w2.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\bf63d56e-b0cd-4911-8279-74adbc3c9656.vbs
                      Filesize

                      721B

                      MD5

                      5782bb993acede4374d5bd8aeb245f30

                      SHA1

                      228dc6b0440f40cbd750a560be4b968accf2249a

                      SHA256

                      726fa9636bc58b37ec59262b1c5aa787f164a933fb4a9ad7709dbd73987d4040

                      SHA512

                      2168d329e67909d124f2033998dec9246ab21f0cfdf3693fb5a52f5375a5c36ea7ac9264e2dcf4f1fb1b85e9e6cca6e5820990bfa04907ed1e598f37a1c9660e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat
                      Filesize

                      210B

                      MD5

                      af28871015eaf5d67490e1e9b436ebfa

                      SHA1

                      63d2f02014f42022842eb68bab41b2b618392c66

                      SHA256

                      e8fa82d4a1d82b7f67f97e35b589cd14d0a4b81ceed061f999e3f6808f60e9b5

                      SHA512

                      ec16b8893369f347ef5d4b2c77156ccdb1a6c5c2edd892488b6afc0dca22a6392cafbf84d1762612e19b1a1f0a6d055e4634611a947bac3e8c0227b55dd40758

                      Download Submit

                    • memory/384-618-0x000000001C180000-0x000000001C192000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1980-278-0x000000001DB00000-0x000000001DB12000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2376-442-0x0000000002FF0000-0x0000000003002000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3060-26-0x000000001D250000-0x000000001D25C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-41-0x000000001D530000-0x000000001D53C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-29-0x000000001D280000-0x000000001D28C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-28-0x000000001D270000-0x000000001D278000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-25-0x000000001D780000-0x000000001DCA8000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/3060-15-0x000000001D000000-0x000000001D008000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-12-0x000000001B900000-0x000000001B908000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-32-0x000000001D4A0000-0x000000001D4AC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-11-0x000000001CFD0000-0x000000001CFE6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3060-8-0x000000001D020000-0x000000001D070000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/3060-7-0x000000001B8C0000-0x000000001B8DC000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/3060-6-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-33-0x000000001D4B0000-0x000000001D4BA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3060-34-0x000000001D4C0000-0x000000001D4CE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3060-1-0x0000000000290000-0x0000000000B88000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/3060-249-0x00007FFAE86E0000-0x00007FFAE91A1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3060-35-0x000000001D4D0000-0x000000001D4D8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-36-0x000000001D4E0000-0x000000001D4EE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3060-38-0x000000001D500000-0x000000001D50C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-39-0x000000001D520000-0x000000001D528000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-40-0x000000001D630000-0x000000001D63A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3060-31-0x000000001D510000-0x000000001D518000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-37-0x000000001D4F0000-0x000000001D4F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-30-0x000000001D290000-0x000000001D29C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-27-0x000000001D260000-0x000000001D26C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-0-0x00007FFAE86E3000-0x00007FFAE86E5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3060-18-0x000000001D190000-0x000000001D1E6000-memory.dmp

                      Filesize

                      344KB

                      Download

                    • memory/3060-20-0x000000001D1F0000-0x000000001D1F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-21-0x000000001D200000-0x000000001D20C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-22-0x000000001D210000-0x000000001D218000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-24-0x000000001D220000-0x000000001D232000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3060-19-0x000000001D1E0000-0x000000001D1EC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-17-0x000000001D180000-0x000000001D18A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3060-16-0x000000001D170000-0x000000001D180000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3060-14-0x000000001D010000-0x000000001D01C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3060-13-0x000000001CFF0000-0x000000001D002000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3060-9-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3060-2-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3060-10-0x000000001B8F0000-0x000000001B900000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3060-5-0x0000000002CC0000-0x0000000002CCE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3060-4-0x0000000002CB0000-0x0000000002CBE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3060-3-0x00007FFAE86E0000-0x00007FFAE91A1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3388-138-0x0000025E7E5D0000-0x0000025E7E5F2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/5212-604-0x0000000002D90000-0x0000000002DA2000-memory.dmp

                      Filesize

                      72KB

                      Download