Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2022 04:52

General

  • Target

    2c84169bc39cd8d6dd403fcec377131c.exe

  • Size

    4MB

  • MD5

    2c84169bc39cd8d6dd403fcec377131c

  • SHA1

    e2ea0fbe34f84d748745bb558414ebb829ed7031

  • SHA256

    8cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276

  • SHA512

    8a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • DcRat 43 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • Executes dropped EXE 8 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe
    "C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:3936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:816
    • C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe
      "C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2404
      • C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe"
          4⤵
          • Executes dropped EXE
          PID:5088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4024
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.bat"
        3⤵
          PID:3832
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            4⤵
              PID:3700
            • C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe
              "C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe"
              4⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks computer location settings
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:2024
              • C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe
                "C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:552
                • C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe
                  "C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1532
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3daaba4-a7ca-4c9f-a547-98259f9c3973.vbs"
                5⤵
                  PID:484
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa4933b-5779-461f-aa4d-3cedbf2c4f00.vbs"
                  5⤵
                    PID:4392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2356
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2960
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5012
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2772
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2260
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4108
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3420
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1180
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3700

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Scheduled Task

          1
          T1053

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          1
          T1089

          Modify Registry

          2
          T1112

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe
            Filesize

            4MB

            MD5

            2c84169bc39cd8d6dd403fcec377131c

            SHA1

            e2ea0fbe34f84d748745bb558414ebb829ed7031

            SHA256

            8cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276

            SHA512

            8a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5

          • C:\Program Files\VideoLAN\VLC\lua\extensions\conhost.exe
            Filesize

            4MB

            MD5

            2c84169bc39cd8d6dd403fcec377131c

            SHA1

            e2ea0fbe34f84d748745bb558414ebb829ed7031

            SHA256

            8cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276

            SHA512

            8a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c84169bc39cd8d6dd403fcec377131c.exe.log
            Filesize

            1KB

            MD5

            bbb951a34b516b66451218a3ec3b0ae1

            SHA1

            7393835a2476ae655916e0a9687eeaba3ee876e9

            SHA256

            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

            SHA512

            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8ce785f8ccc6d202d56fefc59764945

            SHA1

            ca032c62ddc5e0f26d84eff9895eb87f14e15960

            SHA256

            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

            SHA512

            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8ce785f8ccc6d202d56fefc59764945

            SHA1

            ca032c62ddc5e0f26d84eff9895eb87f14e15960

            SHA256

            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

            SHA512

            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8ce785f8ccc6d202d56fefc59764945

            SHA1

            ca032c62ddc5e0f26d84eff9895eb87f14e15960

            SHA256

            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

            SHA512

            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8ce785f8ccc6d202d56fefc59764945

            SHA1

            ca032c62ddc5e0f26d84eff9895eb87f14e15960

            SHA256

            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

            SHA512

            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8ce785f8ccc6d202d56fefc59764945

            SHA1

            ca032c62ddc5e0f26d84eff9895eb87f14e15960

            SHA256

            d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

            SHA512

            66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            aaaac7c68d2b7997ed502c26fd9f65c2

            SHA1

            7c5a3731300d672bf53c43e2f9e951c745f7fbdf

            SHA256

            8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

            SHA512

            c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            aaaac7c68d2b7997ed502c26fd9f65c2

            SHA1

            7c5a3731300d672bf53c43e2f9e951c745f7fbdf

            SHA256

            8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

            SHA512

            c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61e06aa7c42c7b2a752516bcbb242cc1

            SHA1

            02c54f8b171ef48cad21819c20b360448418a068

            SHA256

            5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

            SHA512

            03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            c6c940df49fc678d1c74fea3c57a32f9

            SHA1

            79edd715358a82e6d29970998ff2e9b235ea4217

            SHA256

            4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

            SHA512

            3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            c6c940df49fc678d1c74fea3c57a32f9

            SHA1

            79edd715358a82e6d29970998ff2e9b235ea4217

            SHA256

            4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

            SHA512

            3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61e06aa7c42c7b2a752516bcbb242cc1

            SHA1

            02c54f8b171ef48cad21819c20b360448418a068

            SHA256

            5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

            SHA512

            03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61e06aa7c42c7b2a752516bcbb242cc1

            SHA1

            02c54f8b171ef48cad21819c20b360448418a068

            SHA256

            5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

            SHA512

            03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e8478294527bc11b50f13186fc7c114e

            SHA1

            4f183fdc2b56fdaea9001248fc89aa748af257c4

            SHA256

            dde84811ceb2d1ebcf5b3d6128d0ccce673bb1a5324bffd444300a00c60f32a5

            SHA512

            72bda9eb9a4199043bbf538af4a30eea44e23efeafcaa0ad9e83ab18ed37823fafe8d4e833afe5f686c30f2ed46cce2ecf16c34bf6a2f4cdc09e711568197655

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cf79136142125a14a0d763b303b2effd

            SHA1

            20c496b9c84ddb9c365d6c59823660768c9dfdf7

            SHA256

            38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

            SHA512

            37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cf79136142125a14a0d763b303b2effd

            SHA1

            20c496b9c84ddb9c365d6c59823660768c9dfdf7

            SHA256

            38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

            SHA512

            37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61285b97e7447efc2aa5d39dd466b2a5

            SHA1

            b277983b34aad1ca8af50a5208a610bef81566cf

            SHA256

            0c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8

            SHA512

            f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61285b97e7447efc2aa5d39dd466b2a5

            SHA1

            b277983b34aad1ca8af50a5208a610bef81566cf

            SHA256

            0c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8

            SHA512

            f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            61285b97e7447efc2aa5d39dd466b2a5

            SHA1

            b277983b34aad1ca8af50a5208a610bef81566cf

            SHA256

            0c3058d16e9c3fdc7199cdfabe8dabdbaf1e170f166f0a06f1e40cdeb54fe4b8

            SHA512

            f93cab1bd83bc96274b0d52d1024a4ca948fbd807355257ebe22c4e06fcc4ae0c9971c6ce8cd69ee4b445557213306bd98bb036fd4b4cded2219059925d3e5a9

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e04b405b691748ff696004cd139851bf

            SHA1

            4f9c2f9284ef3a46e0ba373c7335b0341237c64a

            SHA256

            6789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4

            SHA512

            bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e04b405b691748ff696004cd139851bf

            SHA1

            4f9c2f9284ef3a46e0ba373c7335b0341237c64a

            SHA256

            6789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4

            SHA512

            bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e04b405b691748ff696004cd139851bf

            SHA1

            4f9c2f9284ef3a46e0ba373c7335b0341237c64a

            SHA256

            6789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4

            SHA512

            bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e04b405b691748ff696004cd139851bf

            SHA1

            4f9c2f9284ef3a46e0ba373c7335b0341237c64a

            SHA256

            6789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4

            SHA512

            bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e04b405b691748ff696004cd139851bf

            SHA1

            4f9c2f9284ef3a46e0ba373c7335b0341237c64a

            SHA256

            6789503217c258281f56920c7b3d228bc8f3fe6abd2c2a65bf1b8ca4785387f4

            SHA512

            bfd151c644c749ec8c59dbbb4ca49cf5860bbafd5c84652073c704c5d5e055de6e70279a04f04ba016a0a4ba7efa0d024b259119a8f17ce337c411f5be137a46

          • C:\Users\Admin\AppData\Local\Temp\2c84169bc39cd8d6dd403fcec377131c.exe
            Filesize

            4MB

            MD5

            2c84169bc39cd8d6dd403fcec377131c

            SHA1

            e2ea0fbe34f84d748745bb558414ebb829ed7031

            SHA256

            8cf64f5d90065639f894f78a334386f75ffe99f8c41b05b2f03cf0a5438b9276

            SHA512

            8a22ed9e6c98331663c291b9bb7b824a5bbb2a7f37c2ccc5e2b4afeafda9a8e5c1f44186b879bda7d850df975f6b1aba1c547ebe651decfe4fb8897de906ede5

          • C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.bat
            Filesize

            221B

            MD5

            07b93e384816cd0bfaa55206545c3d11

            SHA1

            e191220e55adc0e5faaa11c64191aca89e77c92e

            SHA256

            8678aac990e7cfe99e037d885e18052c4141d7305e65b45d6ea266bc32705d22

            SHA512

            f2dc7c0394177e2ef9d947609c12cc8184e728b4d2438befffd1b6ad49bdca72b17a0066d9984a56509d6bd0772e390cb551d487501092f58f92bc70675d592b

          • C:\Users\Admin\AppData\Local\Temp\b3daaba4-a7ca-4c9f-a547-98259f9c3973.vbs
            Filesize

            732B

            MD5

            f7807bdefa9ffb8d5ab0389f762277f5

            SHA1

            3872a50bbc81937059c8f6294aa55b2168f459d1

            SHA256

            b80b391a9bb622c85df60e1ff3e27afa7987c27a9d85f15a6cbd2841a6c3988e

            SHA512

            161c0a818edd6381a8f4859621304fb76d81cea01aac951c7b81cee7fe1f44781be86419adb79dfc423be8540714d2d295e5a37db106781924679324139a9546

          • C:\Users\Admin\AppData\Local\Temp\dfa4933b-5779-461f-aa4d-3cedbf2c4f00.vbs
            Filesize

            508B

            MD5

            86a13f5f4cb39aa259d7625c3f451512

            SHA1

            483b3508488ece996c08b4f1b63dc8e4c84d1fa4

            SHA256

            7cbdb8fd5615ef0829c8747e27d42e9b3fc3a577950d1ce5fd893e9fdc18bcf9

            SHA512

            c6250e5d42f9323fcc98d0a34c510a7490a553b740496a24d8c8eccf3473dbe894bdcc868ef208bbdf2ca45c1c4b5218f46011b04961fd1c553ada8268d05291

          • C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmp77CB.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • C:\Users\Admin\AppData\Local\Temp\tmpA112.tmp.exe
            Filesize

            75KB

            MD5

            e0a68b98992c1699876f818a22b5b907

            SHA1

            d41e8ad8ba51217eb0340f8f69629ccb474484d0

            SHA256

            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

            SHA512

            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          • memory/484-269-0x0000000000000000-mapping.dmp
          • memory/552-264-0x0000000000B90000-0x0000000000B93000-memory.dmp
            Filesize

            12KB

          • memory/552-261-0x0000000000000000-mapping.dmp
          • memory/688-252-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/688-224-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/688-209-0x0000000000000000-mapping.dmp
          • memory/764-240-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/764-220-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/764-208-0x0000000000000000-mapping.dmp
          • memory/816-165-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/816-195-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/816-155-0x0000000000000000-mapping.dmp
          • memory/872-151-0x0000000000000000-mapping.dmp
          • memory/872-170-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/872-197-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1152-174-0x0000000000000000-mapping.dmp
          • memory/1184-218-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1184-235-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1184-206-0x0000000000000000-mapping.dmp
          • memory/1252-161-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1252-147-0x0000000000000000-mapping.dmp
          • memory/1252-182-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1532-268-0x0000000000400000-0x0000000000407000-memory.dmp
            Filesize

            28KB

          • memory/1532-265-0x0000000000000000-mapping.dmp
          • memory/1696-207-0x0000000000000000-mapping.dmp
          • memory/1696-244-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1696-223-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1928-169-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1928-132-0x0000000000ED0000-0x00000000013C4000-memory.dmp
            Filesize

            4MB

          • memory/1928-135-0x000000001DA00000-0x000000001DF28000-memory.dmp
            Filesize

            5MB

          • memory/1928-133-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/1928-134-0x0000000003820000-0x0000000003870000-memory.dmp
            Filesize

            320KB

          • memory/2024-274-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2024-260-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2024-257-0x0000000000000000-mapping.dmp
          • memory/2024-273-0x000000001F080000-0x000000001F242000-memory.dmp
            Filesize

            1MB

          • memory/2392-255-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2392-233-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2392-216-0x0000000000000000-mapping.dmp
          • memory/2404-166-0x0000000000000000-mapping.dmp
          • memory/2404-222-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2404-204-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2404-173-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2824-245-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2824-227-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/2824-214-0x0000000000000000-mapping.dmp
          • memory/3328-205-0x0000000000000000-mapping.dmp
          • memory/3328-217-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/3328-239-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/3412-194-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/3412-162-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/3412-149-0x0000000000000000-mapping.dmp
          • memory/3700-232-0x0000000000000000-mapping.dmp
          • memory/3832-219-0x0000000000000000-mapping.dmp
          • memory/3936-140-0x0000000000000000-mapping.dmp
          • memory/3936-143-0x0000000000400000-0x0000000000407000-memory.dmp
            Filesize

            28KB

          • memory/3936-141-0x0000000000400000-0x0000000000407000-memory.dmp
            Filesize

            28KB

          • memory/4024-230-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4024-256-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4024-212-0x0000000000000000-mapping.dmp
          • memory/4308-254-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4308-228-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4308-213-0x0000000000000000-mapping.dmp
          • memory/4332-183-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4332-145-0x0000000000000000-mapping.dmp
          • memory/4332-160-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4392-270-0x0000000000000000-mapping.dmp
          • memory/4448-144-0x0000000000000000-mapping.dmp
          • memory/4448-187-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4448-157-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4544-156-0x00000264E75A0000-0x00000264E75C2000-memory.dmp
            Filesize

            136KB

          • memory/4544-148-0x0000000000000000-mapping.dmp
          • memory/4544-159-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4544-184-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4560-171-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4560-153-0x0000000000000000-mapping.dmp
          • memory/4560-199-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4652-150-0x0000000000000000-mapping.dmp
          • memory/4652-186-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4652-163-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4692-210-0x0000000000000000-mapping.dmp
          • memory/4692-238-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4692-225-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4924-158-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4924-185-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4924-146-0x0000000000000000-mapping.dmp
          • memory/4944-253-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4944-215-0x0000000000000000-mapping.dmp
          • memory/4944-231-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4988-203-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4988-172-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/4988-154-0x0000000000000000-mapping.dmp
          • memory/5000-152-0x0000000000000000-mapping.dmp
          • memory/5000-201-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/5000-164-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/5052-139-0x000000000124B000-0x0000000001251000-memory.dmp
            Filesize

            24KB

          • memory/5052-136-0x0000000000000000-mapping.dmp
          • memory/5064-226-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/5064-211-0x0000000000000000-mapping.dmp
          • memory/5064-246-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmp
            Filesize

            10MB

          • memory/5088-189-0x0000000000000000-mapping.dmp