Overview

overview

10

Static

static

10

1d90d6c35e...9c.exe

windows7-x64

10

1d90d6c35e...9c.exe

windows10-2004-x64

10

1dbfa6282e...68.exe

windows7-x64

8

1dbfa6282e...68.exe

windows10-2004-x64

8

1dc47906f1...32.exe

windows7-x64

10

1dc47906f1...32.exe

windows10-2004-x64

10

1df5615c53...d6.exe

windows7-x64

10

1df5615c53...d6.exe

windows10-2004-x64

10

1e02f6a6c6...83.exe

windows7-x64

7

1e02f6a6c6...83.exe

windows10-2004-x64

7

1e055435ef...e4.exe

windows7-x64

10

1e055435ef...e4.exe

windows10-2004-x64

10

1e320ed242...cb.exe

windows7-x64

10

1e320ed242...cb.exe

windows10-2004-x64

10

1ec4b8acdc...65.exe

windows7-x64

1

1ec4b8acdc...65.exe

windows10-2004-x64

1

1ecd5f6fdf...82.exe

windows7-x64

10

1ecd5f6fdf...82.exe

windows10-2004-x64

10

1f0343adab...d3.exe

windows7-x64

10

1f0343adab...d3.exe

windows10-2004-x64

10

1f1f2a5e82...ba.exe

windows7-x64

10

1f1f2a5e82...ba.exe

windows10-2004-x64

10

1f2f396008...f5.exe

windows7-x64

10

1f2f396008...f5.exe

windows10-2004-x64

10

1f824bf7c7...67.exe

windows7-x64

10

1f824bf7c7...67.exe

windows10-2004-x64

10

1fb433aec1...59.exe

windows7-x64

10

1fb433aec1...59.exe

windows10-2004-x64

10

1fe86f0bbb...3e.exe

windows7-x64

10

1fe86f0bbb...3e.exe

windows10-2004-x64

10

201b2bf97d...42.exe

windows7-x64

10

201b2bf97d...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

  • Size

    1.6MB

  • MD5

    e38a8ba2db5ea28f0f52d37b4a9d0d45

  • SHA1

    eeb67e1eb72370ce24df9b82c6a7664176dfe064

  • SHA256

    1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

  • SHA512

    ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

  • SSDEEP

    24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
    "C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\taskhostw.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3880
    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c949f3f-c25a-4b0f-b107-703b9ea023b4.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3232
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b0611b7-dad3-4b2f-bec2-db23f6c3a886.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3492
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c46f133-1527-4131-8b99-17890d6ed87d.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2692
                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                  "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3800
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a2ff72-1ac3-4947-bac5-5f3a636879ed.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4352
                    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4556
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe97b13-39db-46ab-b1fe-89453453e7c0.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1968
                        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4484
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ca9b53-4478-4623-b760-ca01ec897875.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4072
                            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4256
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f63b895e-2636-4f59-abd6-e673abcf9949.vbs"
                                15⤵
                                  PID:440
                                  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                    16⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:664
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97130727-1ab6-40d6-bcd0-1b454f49dc60.vbs"
                                      17⤵
                                        PID:2240
                                        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                          18⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4612
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\941601f7-a5f4-4c1c-9125-3fcd10b2f19c.vbs"
                                            19⤵
                                              PID:5052
                                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                                20⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4560
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5406efc6-66ae-4541-a2fe-93ca24c02499.vbs"
                                                  21⤵
                                                    PID:1464
                                                    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                                      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                                      22⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4072
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648a59d1-2f24-48a7-936f-d4100b24e00f.vbs"
                                                        23⤵
                                                          PID:1208
                                                          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                                            "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                                            24⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2316
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2675b5c-cc1a-4238-8cfe-499e4fc3a2da.vbs"
                                                              25⤵
                                                                PID:3028
                                                                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
                                                                  "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
                                                                  26⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4824
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a58dbb-7931-44d2-902e-270d48c9f0bf.vbs"
                                                                25⤵
                                                                  PID:1520
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd310be-847c-422c-8e05-8994ffa4cd0d.vbs"
                                                              23⤵
                                                                PID:2544
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f7ff69-d557-4c4e-a295-e1b4a8e17906.vbs"
                                                            21⤵
                                                              PID:2616
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e066931-ae62-4725-b55c-a0056b97a9ab.vbs"
                                                          19⤵
                                                            PID:4416
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834631e0-ab55-49ab-af97-0495eb25444e.vbs"
                                                        17⤵
                                                          PID:1628
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feec0663-227c-4eb7-853e-b03d1555e992.vbs"
                                                      15⤵
                                                        PID:2836
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08686272-7a4d-401f-8a60-62e42a68fe47.vbs"
                                                    13⤵
                                                      PID:3324
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee867da9-2607-49a7-8a9c-d333f90ca5d2.vbs"
                                                  11⤵
                                                    PID:4980
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf46e9f-8ef9-4c3d-97c1-c9c53bd30f87.vbs"
                                                9⤵
                                                  PID:2076
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e92a4141-fa01-4775-9cb9-d1ae18cba492.vbs"
                                              7⤵
                                                PID:3488
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eb8ec4a-3716-4108-81ec-2994d9e1c851.vbs"
                                            5⤵
                                              PID:2648
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd4edb29-25fd-4e52-9bed-ee27d3fd8979.vbs"
                                          3⤵
                                            PID:1632
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\OfficeClickToRun.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3668
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:112
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4056
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4412
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4132
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:368
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2284
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2648
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1064
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4652
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Templates\taskhostw.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\taskhostw.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:320
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\taskhostw.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:224
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3540
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3764
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:664
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1524
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:632
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1552
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3048

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Recovery\WindowsRE\services.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        5bbd1b4e31c30afe0ec98d2e5411cb9c

                                        SHA1

                                        83582569499706a74e684362f50c3396c590363b

                                        SHA256

                                        de51446bdfdc379926433a71aa29e93f90d578772905b51c7ba65a60df8becb7

                                        SHA512

                                        8056fe98c3ca58b55d71b0961f4b9240c592037a01e1352f5caa6d2af442bd3b0cbd4d5262ece40959ab8dd31805588d1424d804dda5da000dbbb5b847588d23

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log
                                        Filesize

                                        1KB

                                        MD5

                                        3690a1c3b695227a38625dcf27bd6dac

                                        SHA1

                                        c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                                        SHA256

                                        2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                                        SHA512

                                        15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        c926b492b1d39d04f6e9656ec7f5877d

                                        SHA1

                                        c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

                                        SHA256

                                        b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

                                        SHA512

                                        df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        dc05a4f71923730b4eed5cb63f86aeed

                                        SHA1

                                        798199489ad94c55021a92ec812b320ed90b5711

                                        SHA256

                                        557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650

                                        SHA512

                                        fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        4ee21a21f8b414c5a89db56be6641dd5

                                        SHA1

                                        2403dc36f95bcc4536ac61057a9ce76e11b470f9

                                        SHA256

                                        49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

                                        SHA512

                                        996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        9ea4fdbf8bad883929456091a1e50194

                                        SHA1

                                        fc3b6026729ad36729c2cc4349b8e7a94255ad71

                                        SHA256

                                        ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

                                        SHA512

                                        27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        80dfd43d9904cb4bdd37f6934f47ccf8

                                        SHA1

                                        72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

                                        SHA256

                                        a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

                                        SHA512

                                        793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        57a97b6c8c4cecbbaca70e7453397c5e

                                        SHA1

                                        89aaaa12386a9b191b7570c942b6c302bce1b218

                                        SHA256

                                        61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

                                        SHA512

                                        0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\4b0611b7-dad3-4b2f-bec2-db23f6c3a886.vbs
                                        Filesize

                                        749B

                                        MD5

                                        2b9e2935b1533f8555d878f0ea7ca265

                                        SHA1

                                        f2fa92858db3748f0829b526e45925e81fac505e

                                        SHA256

                                        01837b765b7157ba122eacacb85589681ac96077c1ef68f4be18be705f444034

                                        SHA512

                                        c0313b0b1c9cb34c5c12affaf4660713bba7ec3d676aba5ba093b5c13929caff2a210019a7e2c568d047e8d8d0f1a3d063e57f5fe5ab71651645408a5d1f1e92

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\5406efc6-66ae-4541-a2fe-93ca24c02499.vbs
                                        Filesize

                                        749B

                                        MD5

                                        4678883e4ec164fb015c743ebee6d199

                                        SHA1

                                        a2267a007d9ff53a84d7a764a7e7cfafd371c57d

                                        SHA256

                                        9caf22178c8e32a512d3243ec3daca86da733e7cc1bceaeb628ca709ca1a593e

                                        SHA512

                                        243a0ddc913401b3738fa284d466d5ade62b9b363ebbc565f4b43c0ca41c7c55583b4ae58f2a0989f764ab7a2d05389120962c13178269d192cd388bfdfd7330

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\5c46f133-1527-4131-8b99-17890d6ed87d.vbs
                                        Filesize

                                        749B

                                        MD5

                                        756d5d1d83f46303c6aed50eb8476cfc

                                        SHA1

                                        e75e269c7d19b9ab346323ffdd71ff1706bc7767

                                        SHA256

                                        10a489773dde50c2be46f82ac432e0ff5368fe7fc49c01c295ce56492043869c

                                        SHA512

                                        5426891e023c2a2cb1d50fbb8fd4ce335d160323e5470e7d446f4558d58226c30f53a20661aca84c1e1cbd4bc3d55ac9ca7095c4f263e7032fb41a02535c0bad

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\648a59d1-2f24-48a7-936f-d4100b24e00f.vbs
                                        Filesize

                                        749B

                                        MD5

                                        60b811860044ddbd268f9f3fbce4890a

                                        SHA1

                                        6b9d61b09624eff51916df7437a95e1da87e1a3d

                                        SHA256

                                        fd659a9576704e939a97758dd76e930f61dc2ea90e0f2fd7be870bb7d8099951

                                        SHA512

                                        0f4a9cc775863b22c11f272640222390f3620972c840d1206d5d48d40a9e77bd1e09ac7db209c5d1b13fc38845dc54066ed666be12fc4cb4eb0748019a06b6e1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\78ca9b53-4478-4623-b760-ca01ec897875.vbs
                                        Filesize

                                        749B

                                        MD5

                                        19140116bbbc3560bc00a69eec812155

                                        SHA1

                                        e4a22882d6bb350d084ebf91ac52505b55f75714

                                        SHA256

                                        1c5135a121a480e3c38fabaa8269a51acf014f4a4702bba995c4abe54d419969

                                        SHA512

                                        cbd6b9c3cb9e3092a8c79340ad93efbd51947c57d6cbb4849c59168fb2ec1bfc99c2197a983067c57281f5d0165fcc5a9bf96d2f856980b53f0fa6c5855f44ed

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\8c949f3f-c25a-4b0f-b107-703b9ea023b4.vbs
                                        Filesize

                                        749B

                                        MD5

                                        c1b8a05ddaf125db717edd2d272ce0e0

                                        SHA1

                                        d0bc5570a0fd694f6373209d8a2e910568e29bd6

                                        SHA256

                                        98c66bb3551d7a4ea085a5b7e0fc16f4dfebf42e2da5c7f92969b7f96c44ee34

                                        SHA512

                                        be33af98e090989581850f2506d11fc6cb27591226ff18dac8b28ac28e19ea864c6ab20e12a8b85087d35ee1e6a6fa6e661cad88263229b41d2383c4a9b32f0c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\941601f7-a5f4-4c1c-9125-3fcd10b2f19c.vbs
                                        Filesize

                                        749B

                                        MD5

                                        4cc6d446d6eab40ae1ca5aa300face0c

                                        SHA1

                                        977fbcfcf62130bcab4eb371139576037157e8a5

                                        SHA256

                                        8c7cfbec41223b9f3745da9e4e7185a532e258ecf738ff087c08be9a8e7c45c1

                                        SHA512

                                        774ad5337cce8e4a88e923d0b037a4b4414af2f45eaef5978899ce353d69f898f1a99d3d752ac46661404ccddeebccba00149cf7b44d6bae092d7419a335fe9e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\97130727-1ab6-40d6-bcd0-1b454f49dc60.vbs
                                        Filesize

                                        748B

                                        MD5

                                        b4e5e9f944ad64b214f7e7703c9aca0f

                                        SHA1

                                        0f8cfe17583c4de54b3cd32769238c172e959bd3

                                        SHA256

                                        738d845163b1da55ab2edfc629e41d479146b75ede3947e2fe8e0acfc964398a

                                        SHA512

                                        a6dccd643897f8adc15f0d74ceb0650e89c8480ef9a4ee4e89ecc2f83d719856ba2ee77d928e04336cd5328bd380781de8542202b309f222ce8cd4c60de1d861

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldpyi5sr.pt2.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\b5a2ff72-1ac3-4947-bac5-5f3a636879ed.vbs
                                        Filesize

                                        749B

                                        MD5

                                        397f70b362ac493425780514522fe135

                                        SHA1

                                        2b4f5b920141814f524b6e4cb74dcfb94241b2bf

                                        SHA256

                                        b759511b9f61fc62b8eafab9eaa733bf035483bf1ae3963097fcb771e49ed67f

                                        SHA512

                                        730f219c41f03a77bee6b1c7a9294d70064792c21a670676c2c3eaf2379043ca761b757a8ef61d059eb2e8d3710a91bfbb1785277560f57266dfea92dc25ec41

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\d2675b5c-cc1a-4238-8cfe-499e4fc3a2da.vbs
                                        Filesize

                                        749B

                                        MD5

                                        96dfaa16f4d895dac096a011888145c3

                                        SHA1

                                        928b3326331371c420671293c71eb68bd15c4d2b

                                        SHA256

                                        e3372e7514f98e23f11feed2e683b737d86cba645a70e9ba014b32ed32c3d666

                                        SHA512

                                        31bd7dd91398b65d58cdb7523928ab4c5d77d296cf1c0e4b927b5c9372ca0056dbd3d427513b577f3d6af0b354efe67faac4d678385ee491652b6a216c228a34

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\dd4edb29-25fd-4e52-9bed-ee27d3fd8979.vbs
                                        Filesize

                                        525B

                                        MD5

                                        795ca9113e8bf0e53f5c867e2b66ff19

                                        SHA1

                                        14d8119d1d4e5bc13579bede679c5625af630268

                                        SHA256

                                        b4e185a37cc25cda07149fe57c122414aa10bf1a97391f29c4ad430c78ff5775

                                        SHA512

                                        6f59f4a0b49c55ae105a61ba23116d2e6711cff3fe73993e18d9c8e91e312fa717a423456644524f2d7e378d88d77531cdf5eff412bff949cd0960146ddaf858

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\f63b895e-2636-4f59-abd6-e673abcf9949.vbs
                                        Filesize

                                        749B

                                        MD5

                                        46a444d7d8dcb5f11f9e73275fd98637

                                        SHA1

                                        8abe4c3c798d0408e229b4267a9afb26484b317a

                                        SHA256

                                        bec296c9df23c6d0b6815e517ffee68c850833c1931354412c6adfdd2f33f748

                                        SHA512

                                        72692629e8d5e2ad4ef7fb8f923f04a237793e9c754487766146a4935288ce538cb214104eb7c5b0d3fa1dff8a50a0b3c459b7fef49e7e83bac8d1d1fcfcc5b5

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\fbe97b13-39db-46ab-b1fe-89453453e7c0.vbs
                                        Filesize

                                        749B

                                        MD5

                                        70313a59915398152a6925c0085d7262

                                        SHA1

                                        a67eaabecc321c2a41da3395714359342bde950e

                                        SHA256

                                        f793bc513dd1b6985525c199858a4c7dadaba17304634d0900be5646c4a1278a

                                        SHA512

                                        98ce01596832edc9a9cabe1da42f0a4656590e3a622014eea2e1da812397a6ebaffc22b5f36b8de942316b3144b1b7edf67853a85abf154bb3b28810c79e4343

                                        Download Submit

                                      • C:\Users\Admin\Saved Games\RuntimeBroker.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        c58e83868a3c22705f7839342d915741

                                        SHA1

                                        3debb87bb64cda85701747e0567056ec7fbae470

                                        SHA256

                                        93568fefcfe2e4d69db2c538e1e0cb8cc987c766e2a83438f18a2faa243c1105

                                        SHA512

                                        905d3d0919c6618300dc04252e5529aa1910a4e751d3d13b2dacb0835ec8097667c033269b1cc39840e526a72af2d36a511a20ce350353946ca33a5639d1dc60

                                        Download Submit

                                      • C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        94460f71f8aa459e55d29dea0c7ff8b3

                                        SHA1

                                        bf2b3e6738672a4001388a3161b86191c98aada5

                                        SHA256

                                        59dec2e03c14ed06c4e26c515ef14976b511206d4370e25f86890410f83cd760

                                        SHA512

                                        4ed111e0cfb0426a2f76802c96036de76c56bdbfc20ae3df96766409838dd189a38e194cefd2e717bd1adb8084beb6e1dc8239db17057ee4927e27059cbac64f

                                        Download Submit

                                      • C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        a00ba1234f5a1895a662de9387410fde

                                        SHA1

                                        3eb2b3f0273a275e2b8b986a7a624496c2b10e77

                                        SHA256

                                        05a37d9143b45a4d400d4632a05fa4113894337fd9978219f358a04ed2d90d0a

                                        SHA512

                                        ca3bbea28b2abaeb8d3ccc5c8120df2a868b2b71aa90a76ca435df1598d795102aeb183650022d8f9cfc9784ffca86d175b6dc22b3be0b5c8ad6e0c5421b5328

                                        Download Submit

                                      • C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        e38a8ba2db5ea28f0f52d37b4a9d0d45

                                        SHA1

                                        eeb67e1eb72370ce24df9b82c6a7664176dfe064

                                        SHA256

                                        1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

                                        SHA512

                                        ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

                                        Download Submit

                                      • C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe
                                        Filesize

                                        1.6MB

                                        MD5

                                        79cd0210a20f3aa920aae692eb693b44

                                        SHA1

                                        ca4049b232dc7a6a04eb85e03c892df1336b5567

                                        SHA256

                                        38d16845f89cd414af6a187523110e5094dc76407be45c30a8e5982c99c05361

                                        SHA512

                                        037f84c511378f57ac86c0a3cf4044b35aeb1f2fc4fcb0e3a73d714c32c1c314163ea2475a3de56d6061206d23797853c1a0535f0663d5ebfb379965b4d8c938

                                        Download Submit

                                      • memory/2352-11-0x000000001AFE0000-0x000000001AFEC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/2352-6-0x000000001AF30000-0x000000001AF46000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/2352-14-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2352-16-0x000000001B8F0000-0x000000001B8FA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/2352-15-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2352-13-0x000000001B000000-0x000000001B00E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/2352-12-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/2352-319-0x00007FFD9AC70000-0x00007FFD9B731000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/2352-0-0x00007FFD9AC73000-0x00007FFD9AC75000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2352-10-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/2352-9-0x000000001AF70000-0x000000001AF78000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2352-17-0x000000001B900000-0x000000001B90C000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/2352-8-0x000000001AF60000-0x000000001AF70000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/2352-305-0x00007FFD9AC73000-0x00007FFD9AC75000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2352-7-0x000000001AF50000-0x000000001AF58000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2352-1-0x0000000000260000-0x0000000000402000-memory.dmp

                                        Filesize

                                        1.6MB

                                        Download

                                      • memory/2352-5-0x0000000002480000-0x0000000002490000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/2352-4-0x000000001AF80000-0x000000001AFD0000-memory.dmp

                                        Filesize

                                        320KB

                                        Download

                                      • memory/2352-3-0x0000000002530000-0x000000000254C000-memory.dmp

                                        Filesize

                                        112KB

                                        Download

                                      • memory/2352-2-0x00007FFD9AC70000-0x00007FFD9B731000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/3456-214-0x0000022A6E0E0000-0x0000022A6E102000-memory.dmp

                                        Filesize

                                        136KB

                                        Download