Overview

overview

10

Static

static

10

1d90d6c35e...9c.exe

windows7-x64

10

1d90d6c35e...9c.exe

windows10-2004-x64

10

1dbfa6282e...68.exe

windows7-x64

8

1dbfa6282e...68.exe

windows10-2004-x64

8

1dc47906f1...32.exe

windows7-x64

10

1dc47906f1...32.exe

windows10-2004-x64

3

1df5615c53...d6.exe

windows7-x64

10

1df5615c53...d6.exe

windows10-2004-x64

10

1e02f6a6c6...83.exe

windows7-x64

7

1e02f6a6c6...83.exe

windows10-2004-x64

7

1e055435ef...e4.exe

windows7-x64

10

1e055435ef...e4.exe

windows10-2004-x64

10

1e320ed242...cb.exe

windows7-x64

10

1e320ed242...cb.exe

windows10-2004-x64

10

1ec4b8acdc...65.exe

windows7-x64

1

1ec4b8acdc...65.exe

windows10-2004-x64

1

1ecd5f6fdf...82.exe

windows7-x64

10

1ecd5f6fdf...82.exe

windows10-2004-x64

10

1f0343adab...d3.exe

windows7-x64

10

1f0343adab...d3.exe

windows10-2004-x64

10

1f1f2a5e82...ba.exe

windows7-x64

10

1f1f2a5e82...ba.exe

windows10-2004-x64

10

1f2f396008...f5.exe

windows7-x64

10

1f2f396008...f5.exe

windows10-2004-x64

10

1f824bf7c7...67.exe

windows7-x64

10

1f824bf7c7...67.exe

windows10-2004-x64

10

1fb433aec1...59.exe

windows7-x64

10

1fb433aec1...59.exe

windows10-2004-x64

10

1fe86f0bbb...3e.exe

windows7-x64

10

1fe86f0bbb...3e.exe

windows10-2004-x64

10

201b2bf97d...42.exe

windows7-x64

10

201b2bf97d...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

  • Size

    1.6MB

  • MD5

    e38a8ba2db5ea28f0f52d37b4a9d0d45

  • SHA1

    eeb67e1eb72370ce24df9b82c6a7664176dfe064

  • SHA256

    1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

  • SHA512

    ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

  • SSDEEP

    24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
    "C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\Registry.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4552_272154635\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\SppExtComObj.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4980
    • C:\f9532e701a889cdd91b8\Registry.exe
      "C:\f9532e701a889cdd91b8\Registry.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b71b13b0-27d4-40e8-b367-281504b421d0.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\f9532e701a889cdd91b8\Registry.exe
          C:\f9532e701a889cdd91b8\Registry.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\453273d7-a94f-4fba-9155-f7a4c9635575.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\f9532e701a889cdd91b8\Registry.exe
              C:\f9532e701a889cdd91b8\Registry.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5608
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccd28f2c-cb57-4f90-92a4-4997f46980ff.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:5508
                • C:\f9532e701a889cdd91b8\Registry.exe
                  C:\f9532e701a889cdd91b8\Registry.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3840
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5134b503-8edc-4775-b4e6-917cb44ab569.vbs"
                    9⤵
                      PID:3656
                      • C:\f9532e701a889cdd91b8\Registry.exe
                        C:\f9532e701a889cdd91b8\Registry.exe
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3888
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eaaf0bf-d5fa-4cb4-b705-8fc6edc1d81c.vbs"
                          11⤵
                            PID:3364
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fed9aa5-58ea-402c-a771-ca4a26d0048c.vbs"
                            11⤵
                              PID:4112
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2671d6-cedf-4725-8898-b8b7ad08ebdc.vbs"
                          9⤵
                            PID:4804
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffbf21be-1d33-4e55-a5dd-5ff0a0cf129a.vbs"
                        7⤵
                          PID:948
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33eaaf2b-a875-48fd-97ff-e5f3947bbcf9.vbs"
                      5⤵
                        PID:5488
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70f55e7b-5070-4b90-921c-dbbf96e14d1b.vbs"
                    3⤵
                      PID:3704
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4008
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3648
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4700
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4896
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5000
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\sihost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4648
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:760
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4828
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4832
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4880
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:6140
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:748
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4944
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4776
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2420
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3656
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\lsass.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4964
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4800
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5080
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1532
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1004
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4804
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:6136
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2688
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2908
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4552_272154635\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5972
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4552_272154635\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3752
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4552_272154635\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4752
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5500
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4196
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\explorer.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:544
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1176
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2956
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3168
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:6056
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3568
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3256
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3016
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5968
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5696
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4240
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3192
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\smss.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3372
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3156
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5840
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\explorer.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3688
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1724
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3852
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:6124
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2616
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3036
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\SppExtComObj.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3620
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3812
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2248

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Internet Explorer\fr-FR\SppExtComObj.exe
                  Filesize

                  1.6MB

                  MD5

                  65b86dc8b3ebde71091e27d88076c6ca

                  SHA1

                  5316bc3964af4c74681ed8d89bd76815f7c3dba3

                  SHA256

                  5b3e59292895555693964a59cfaeffa067541db8d9b64e1b31a30bced0b9bab5

                  SHA512

                  0a1db107bf58952adeede85e61fb7b6b270caf531d0179fce154382e986d322983a3c731f7071665bc4323adb5171e9091ca19d04a30d712fc080c156b0e8792

                  Download Submit

                • C:\Program Files\Microsoft Office\Updates\explorer.exe
                  Filesize

                  1.6MB

                  MD5

                  9afe7a9c3b1d7402f7b4f36d44481796

                  SHA1

                  6ed4cd0a22dc20e43c0a2610a09636c8d1c90eba

                  SHA256

                  554e6847255f726469cff262620d3ea6599031b80e1148ddf5cd48c9186d26cc

                  SHA512

                  148a965aacd67cac7bd1e24329e75e4478f6c4fa8c56eb00cfb2667299284c35196d26373e0eaf4265899b5a7e9e888b98c66afbc629dcc54d462397fe0b7bd4

                  Download Submit

                • C:\Recovery\WindowsRE\backgroundTaskHost.exe
                  Filesize

                  1.6MB

                  MD5

                  53fb971ff49ed3cf1acb3544bda19df6

                  SHA1

                  84c0487a7ab928e197efc00e3d5959d24cbe2ed7

                  SHA256

                  de101af0460b09cf7d22fc9e9619db94f577fda34b0f0a3b2bf1a2f3c8626bde

                  SHA512

                  1f8bee1332226411d29a8a15fdbc70e3499ec0b086756f1570f1cf3ed6e0bd0dc0bd614cc5a59eca3e4ca2eec97fdece89753d3882d6c842f13adb2c72b76d49

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log
                  Filesize

                  1KB

                  MD5

                  3690a1c3b695227a38625dcf27bd6dac

                  SHA1

                  c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                  SHA256

                  2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                  SHA512

                  15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  2044ef36c414ed6e6c991e5fbe7d5bf1

                  SHA1

                  0dbd4be869af1290a771fa295db969dc14b2a1fc

                  SHA256

                  1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

                  SHA512

                  304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  e69ced0a44ced088c3954d6ae03796e7

                  SHA1

                  ef4cac17b8643fb57424bb56907381a555a8cb92

                  SHA256

                  49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

                  SHA512

                  15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  4ee21a21f8b414c5a89db56be6641dd5

                  SHA1

                  2403dc36f95bcc4536ac61057a9ce76e11b470f9

                  SHA256

                  49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

                  SHA512

                  996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  80dfd43d9904cb4bdd37f6934f47ccf8

                  SHA1

                  72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

                  SHA256

                  a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

                  SHA512

                  793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  7ebbb17f3791dea62cf267d83cf036a4

                  SHA1

                  266c27acf64b85afd8380277f767cc54f91ab2b0

                  SHA256

                  2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

                  SHA512

                  6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  0c3cddab7d289f65843ac7ee436ff50d

                  SHA1

                  19046a0dc416df364c3be08b72166becf7ed9ca9

                  SHA256

                  c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

                  SHA512

                  45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  0f29d4b03e157fa020f2b793683543af

                  SHA1

                  1b0603266b02dd38444489e0d5e18ee93b6b766a

                  SHA256

                  eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

                  SHA512

                  b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  9ec1de5af22ee94e2a00a91da98957bd

                  SHA1

                  0ade5098be757a47adb6d5d0dbf576bcf41d6253

                  SHA256

                  540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

                  SHA512

                  8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  8d7ef90d60b004c1ca554407c4ce6d0f

                  SHA1

                  8d57fc1cbb9776bb85c8c740a7ad2bc10c531fb4

                  SHA256

                  5a2c61fa1c443a345a6f9961b72b01489f7ceaf7da9af4f9f217ae5e81a8bffb

                  SHA512

                  263d0d91a24adbe5e536a48145976876e88d09b57435efcafd622391f8c586c0d282c7cb78275074e039e3108474c1b13199be1adbcbd79990e6e6b3d60f2809

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  aaf0080989fabad865a080216418fbf2

                  SHA1

                  935075309ff07f95b5c2ff643661fef989526e15

                  SHA256

                  86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

                  SHA512

                  21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  16a6a93b66d0e764324e2abde988e87f

                  SHA1

                  2e79e9a885d4fe41ca396cc4f5d79c5803c87911

                  SHA256

                  617d34790965de2672b4ea86c7c078637b1225b70596c064bf3b53bc44dba881

                  SHA512

                  32ca76d665bee47070b52df6d9e8e2ffd972558cb2662ff0e851382a4f2824d661f6589c300f7f53efd3226d78f81fa9a7c96819fd2b4b1c7a17a1f02c6bc4df

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\3eaaf0bf-d5fa-4cb4-b705-8fc6edc1d81c.vbs
                  Filesize

                  712B

                  MD5

                  a6c080442e002a6dd624e102ae58655c

                  SHA1

                  c54ec16123bb22fc4f92cf37d755eb84c4af50a0

                  SHA256

                  3c82019986bafce6ed5c52fe1b9711c5f3695b7ae89f11c8e180c70f6fb81860

                  SHA512

                  d498ed21bff8c452ac56a26fb0c2a2196b1326077dc3bc0f943247a911ddd6e86f5d03077e01e429c26f8b6dd4a34c1353c289c0d2613442614321cfeb7273bf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\453273d7-a94f-4fba-9155-f7a4c9635575.vbs
                  Filesize

                  712B

                  MD5

                  4e4558ee4a8b9384f6fe6a94826310dd

                  SHA1

                  1bd3b78ebd349e7525dc1463a061d9d4295cf14a

                  SHA256

                  f4240da104e690dd8dadee27257ed5def8ce7bb03f82efded303c88312afac5c

                  SHA512

                  e4072cf10c01abbdddd61dba1967b285262ed5c64c5b5c12b19dadcddcec3ecad5880afb1bcd01afbad7455bea74a531ea77fd81ff172387f85d3f772e655559

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\5134b503-8edc-4775-b4e6-917cb44ab569.vbs
                  Filesize

                  712B

                  MD5

                  10e04025426396a924f5851000d5c250

                  SHA1

                  47cee58b6c7fce923ed9bb3454545f34a208711d

                  SHA256

                  7dce328564d575803a7f0ee11262ba105552a0ba884d0bf49444be58bb61392d

                  SHA512

                  96b49b045fc1343ab6f234fe99a66815c76997445611d1959d9b31e176364ac73d10f1d5804afd3ca3a0830529f32877afa6920d7523afe35307b709d26f8d65

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\70f55e7b-5070-4b90-921c-dbbf96e14d1b.vbs
                  Filesize

                  488B

                  MD5

                  719a4ddcaa267ba629095bf476ffc907

                  SHA1

                  62baf95e1c13a729570d76ade96b228831100d8b

                  SHA256

                  891d7d9180ef8c6b56d60f56e0c073382c4837a77ca119a35f07a7405b029017

                  SHA512

                  05adf8502098c0c799d500d977a43602b1450e05107a9b2251f25e433a208f69252340c5e1d92759bce2d1f3517eaeef6030fb53fb9caf58862df8b5cc3dd526

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3qt1cbg.33m.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\b71b13b0-27d4-40e8-b367-281504b421d0.vbs
                  Filesize

                  711B

                  MD5

                  f4246cbfef8daccb2236cf7ea31564f1

                  SHA1

                  1c9ff58dfca44de2fea23495b8eb3f24af57afaf

                  SHA256

                  49d3e4df095c862744ba8a41a71e70d6a9faf828ad9eeabe1f77d62e573b9082

                  SHA512

                  fa575036977dd6f82c0781d0ff97a8d621d4ef27e4cfbdbf134bf6a2c472975d7f1d37f27bf63dd32cb400da3a93868008cc809d3f0a542d97df734eaa2ecb35

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ccd28f2c-cb57-4f90-92a4-4997f46980ff.vbs
                  Filesize

                  712B

                  MD5

                  02f59c26f1c3f5550e2eddd2603c80a4

                  SHA1

                  dd61b46887835a785465751918bd120f2a2e3310

                  SHA256

                  2c35e51c77a335b4a639e575c4a552b58d4b3ce1660decacd9604b214d198fcc

                  SHA512

                  0e115659943e73c7f28e9c6fa1345f385c9ea84aa86eb2532a72293e99ca7f3862c08f2ee262bc973e5b3eb1f8eae0f928c1e59d0b1d70c48709e69a8667df54

                  Download Submit

                • C:\Users\Public\RuntimeBroker.exe
                  Filesize

                  1.6MB

                  MD5

                  c6bd24e96d7c4c18896c44ac76955265

                  SHA1

                  3894855f7ffa7c8a78e2739553e9415a5204f7ba

                  SHA256

                  bb64909edbdc34b0fc7ca625ee20d0861f8a77e5a3332d4ccd87f9ac786ceaff

                  SHA512

                  9b4a94bda409f4e032f7c0e23eabf7b5d9a25f02762686d4ff063e9a3b118dceea38be943d66ca705134628954b1a23b2b8a772dca237272ec8bf13668281412

                  Download Submit

                • C:\f9532e701a889cdd91b8\Registry.exe
                  Filesize

                  1.6MB

                  MD5

                  2a5cdeec8cdcad408e9b6aa194e011ae

                  SHA1

                  071b74e98baf72a2f6e2496b6578dc52873fb9ed

                  SHA256

                  d0ad88571409dcf93c06db7039b4ba6674d44002b75af20b8e67361b20b10e8c

                  SHA512

                  ed58465057aa7226c2078f5a3e725404a9d737fb0db334e8dbca8421d5acaca8e1ece2ead87e3b279e3eecb7e772c039d5af5dd58163ea21df8a3384d64f5111

                  Download Submit

                • C:\f9532e701a889cdd91b8\Registry.exe
                  Filesize

                  1.6MB

                  MD5

                  e38a8ba2db5ea28f0f52d37b4a9d0d45

                  SHA1

                  eeb67e1eb72370ce24df9b82c6a7664176dfe064

                  SHA256

                  1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

                  SHA512

                  ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

                  Download Submit

                • C:\f9532e701a889cdd91b8\sihost.exe
                  Filesize

                  1.6MB

                  MD5

                  8163c16b934591b3d0150a1490778cb9

                  SHA1

                  00c7898853f22b41f9135ec9da1d7a7a50f34531

                  SHA256

                  a1de4f43be96986d225db4e4224a0fa085321b7c03e6cd46f611c0386bcddc62

                  SHA512

                  ba289ccb04dab0276880c8253bc6f102922a8bf661f67cd08160e99707145543fdbe4e1a56101fc748af6764abd3f248e68574ccaac3211d35b8f98cb56b22ec

                  Download Submit

                • memory/972-521-0x00000000008F0000-0x0000000000A92000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/2148-3-0x0000000000C50000-0x0000000000C6C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2148-13-0x0000000002600000-0x000000000260E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2148-522-0x00007FFF332F0000-0x00007FFF33DB1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2148-17-0x00000000027D0000-0x00000000027DC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2148-16-0x00000000027C0000-0x00000000027CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2148-8-0x00000000025D0000-0x00000000025E0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2148-5-0x0000000002520000-0x0000000002530000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2148-2-0x00007FFF332F0000-0x00007FFF33DB1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2148-0-0x00007FFF332F3000-0x00007FFF332F5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2148-15-0x00000000027B0000-0x00000000027B8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2148-14-0x00000000027A0000-0x00000000027A8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2148-11-0x00000000025E0000-0x00000000025EC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2148-199-0x00007FFF332F0000-0x00007FFF33DB1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2148-174-0x00007FFF332F3000-0x00007FFF332F5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2148-12-0x00000000025F0000-0x00000000025FA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2148-4-0x0000000002570000-0x00000000025C0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/2148-6-0x0000000002530000-0x0000000002546000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2148-1-0x0000000000150000-0x00000000002F2000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/2148-7-0x0000000002550000-0x0000000002558000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2148-9-0x0000000002560000-0x0000000002568000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2148-10-0x00000000025C0000-0x00000000025CC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5404-339-0x0000024C56530000-0x0000024C56552000-memory.dmp

                  Filesize

                  136KB

                  Download