Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 00:21

General

  • Target

    20ec8d347f674ebadc53399ef6aa49cb.exe

  • Size

    3.4MB

  • MD5

    20ec8d347f674ebadc53399ef6aa49cb

  • SHA1

    f418d228eb276f216b4986b55b2c762d11991a31

  • SHA256

    9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

  • SHA512

    e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

  • SSDEEP

    49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 31 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe
    "C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6duSsQqWjw.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2400
        • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
          "C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1512
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41bd7273-2680-4f7c-aecc-d77a0b6c30fa.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
              C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3012
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bf951a-fd49-4fe8-88da-62ad79b45680.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1616
                • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2600
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46535dec-4736-494f-9c64-c2c0add82f7d.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2552
                    • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                      C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                      9⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2856
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3544b973-88a7-4a99-a6c8-98ea7fa12259.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:584
                        • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                          C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                          11⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:680
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0b2dcb-6e82-4d0b-89a2-a0951f2de7f2.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:848
                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                              C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                              13⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2860
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c334203c-f3a8-49b0-bd6b-7b0ca72b947b.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2456
                                • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                  15⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:1804
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1df24147-8eae-44b8-aa4a-1aecdbb4a5f7.vbs"
                                    16⤵
                                      PID:2104
                                      • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                        C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                        17⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:1628
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ac1b40-0212-4318-805c-875e831b8cc4.vbs"
                                          18⤵
                                            PID:1160
                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                              C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                              19⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:980
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5c8f99-bc44-435b-b255-a4049cf272b4.vbs"
                                                20⤵
                                                  PID:2836
                                                  • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                    C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                    21⤵
                                                    • UAC bypass
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:2204
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ec34ea-fbdb-4f6a-9803-c8ff588e6b37.vbs"
                                                      22⤵
                                                        PID:2560
                                                        • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                          C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                          23⤵
                                                          • UAC bypass
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:1468
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24901394-deda-4337-b718-0a3709822930.vbs"
                                                            24⤵
                                                              PID:1220
                                                              • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                                C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
                                                                25⤵
                                                                  PID:2252
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd11f68-b667-4f21-bfd4-1a23413e4931.vbs"
                                                                24⤵
                                                                  PID:1756
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\debcb75f-be70-45c6-b46a-3b8d32ec91d9.vbs"
                                                              22⤵
                                                                PID:896
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3007ba6-efe9-4452-9159-8a9acbf15039.vbs"
                                                            20⤵
                                                              PID:2148
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33906f0c-8bb5-49e7-8a9a-88f53a877304.vbs"
                                                          18⤵
                                                            PID:2792
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ebc5b65-b5f7-49ae-82d6-92aea4f64404.vbs"
                                                        16⤵
                                                          PID:2024
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f9d0660-ddb6-4918-8caa-57331b96e6bb.vbs"
                                                      14⤵
                                                        PID:2712
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86c347e-9dad-4cd7-ac18-51ea8ce513f9.vbs"
                                                    12⤵
                                                      PID:1536
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45932db-425b-48ca-9063-ad2734cf808c.vbs"
                                                  10⤵
                                                    PID:904
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43a469b-893c-417d-8ab7-4f7bf027ec9b.vbs"
                                                8⤵
                                                  PID:1072
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs"
                                              6⤵
                                                PID:2616
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7920eb4f-cf22-4b66-a82b-19ad5ed510fa.vbs"
                                            4⤵
                                              PID:2852
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2704
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2468
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1048
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2024
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2444
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2504
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2896
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2756
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1372
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\System.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2500
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1160
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2492
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2872
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2360
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2056
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2256
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1688
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2260
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:544
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:904

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              576KB

                                              MD5

                                              fe352ec25397d2c4a7454b13533f2ceb

                                              SHA1

                                              21527a7d603408c01a68081ebc0890133d018625

                                              SHA256

                                              1ff67df58a33ef26207e0f16a25a1a6658676fdd88e985d6b3b9ac0dbd2e0509

                                              SHA512

                                              3be4c13cfb9177905e46efb41120e98f7280b1990c48ed3e1f7df90255b0b832fe9d85748671067191d3e07651c58da2b2dfac4989258017dd450554dbc0ceb9

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\1df24147-8eae-44b8-aa4a-1aecdbb4a5f7.vbs

                                              Filesize

                                              736B

                                              MD5

                                              23b0246418d38465028152d1d431d122

                                              SHA1

                                              aad6af8380f6d21424346453e10600384730bdac

                                              SHA256

                                              34d9bc568374347246d6f16a137d073dea7eb840ba344b0408d5037268150750

                                              SHA512

                                              ea4b88872291313a474d492393cfc7f9542038a835a0658316b6be8953c143807a9c391531b58b44f42d30a2e5bd79020847bd985906df59711804e8527f1bd5

                                            • C:\Users\Admin\AppData\Local\Temp\24901394-deda-4337-b718-0a3709822930.vbs

                                              Filesize

                                              736B

                                              MD5

                                              579cc0a8dba7ff07a44200fef2f7955a

                                              SHA1

                                              3cfe75d627dc3932909dbbc7f09a7a7b933c18ef

                                              SHA256

                                              a9ba626a911a33318094e235f07c36c89d924ac40199a7c7f553096e07dfdf28

                                              SHA512

                                              da654bba8c47b0bf3b8e824cf4a0dec3d07f6f6e7b6253481c41b1ae14b8b0cceaf677f576de5e4dfec58fc77f247e91dce6c6d18b1b20953aab967ced145a1c

                                            • C:\Users\Admin\AppData\Local\Temp\2c0b2dcb-6e82-4d0b-89a2-a0951f2de7f2.vbs

                                              Filesize

                                              735B

                                              MD5

                                              a3b878a5936f511d737e228a8c8009df

                                              SHA1

                                              aa08a3ac58f115fe46c0543a408a30152519b636

                                              SHA256

                                              723cb9dbe34cc317b613b9c8265b79c63842dedacaf9ed682637f47e74484c74

                                              SHA512

                                              13e1e5478588828306433fed9cd0cb69794a54f9f60cad5b9d51807a3a1540fd6d1815ea8bd14f12e3ca2697a259402635721859b1f1a2e76572f4c48ea8cb58

                                            • C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\33906f0c-8bb5-49e7-8a9a-88f53a877304.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\33ac1b40-0212-4318-805c-875e831b8cc4.vbs

                                              Filesize

                                              736B

                                              MD5

                                              4b469cf4305015c315ee8da0c5d81232

                                              SHA1

                                              c8e9faec266a6c0091c5a8948b34520364327500

                                              SHA256

                                              564541da59ba974c295ed714d0227f6bbf59b66419b52ec67f4fafcec73a5850

                                              SHA512

                                              cd331a7728be56ba0df4a6fd05959fc694826182f09482518876535e1913783dd7d37512b83c79428e24403f4826cfce358b912c841b180f519bdea4894ed2bb

                                            • C:\Users\Admin\AppData\Local\Temp\3544b973-88a7-4a99-a6c8-98ea7fa12259.vbs

                                              Filesize

                                              736B

                                              MD5

                                              de929189f6aedc176bf467cbc2938ac5

                                              SHA1

                                              3a7f3b712f722d08219525eadd569970ab65b6b3

                                              SHA256

                                              ce491f39cb5ab7b03292ded7e8e052062126f109e4225f8cc2318e7f3d7f77de

                                              SHA512

                                              8d39eeb9174668b4d6dfed839ca734aaf8f4ba4b776f91af5844c094dea2385dbf804982b6feb4910325846d26867c7ec298f85fc6012ed165cede87f6a53b6b

                                            • C:\Users\Admin\AppData\Local\Temp\41bd7273-2680-4f7c-aecc-d77a0b6c30fa.vbs

                                              Filesize

                                              736B

                                              MD5

                                              4a54a34649442f0359c53752d864abfe

                                              SHA1

                                              b1132f2582ffb617a14f2562dbd22a94f3445da1

                                              SHA256

                                              51e777f816adcf889011c8c66c79d6e7f808e0ee5214f4cc2f1c25b40bbcb1be

                                              SHA512

                                              27ae9b3e2b38135b89c715c3043b0e218189ebf9f3154f1565ffa81ceaf0c6c0a6b9daf088773c8fe4828be530478d592c49c2f15f2286db6b55fd9a2200c923

                                            • C:\Users\Admin\AppData\Local\Temp\46535dec-4736-494f-9c64-c2c0add82f7d.vbs

                                              Filesize

                                              736B

                                              MD5

                                              cbbb8087351e21de19b5ca76567e6559

                                              SHA1

                                              03329d71f523208c935e2953a71fc3b33b74cce6

                                              SHA256

                                              cafaab16c92c34a120eb2e156f7abc74e75711c417eb9d678cf6fb5480010fe5

                                              SHA512

                                              1ca6d9574bc8df72eb11969d22a18f29839ea7c332307dc4ea963156b33b3bf723c790a1fb183d7819096172655008658962fafae161800b3fdd16ff12021714

                                            • C:\Users\Admin\AppData\Local\Temp\4ebc5b65-b5f7-49ae-82d6-92aea4f64404.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\5f9d0660-ddb6-4918-8caa-57331b96e6bb.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\67bf951a-fd49-4fe8-88da-62ad79b45680.vbs

                                              Filesize

                                              736B

                                              MD5

                                              e3cad206201de24d9cba776c97a35ebf

                                              SHA1

                                              508fb21fea551a78d5f6b27c0bd5bbf3f27b4bf8

                                              SHA256

                                              4ac76b5081e68b0677566e5991e8dba375c395b4ac42ea429366324361341b66

                                              SHA512

                                              e119e2a58637b3982ded6aad04514fa11de2ce34375c7e4f719631d6e04f8524351939f45f26589c5d01d049674d4f02b0d88602bdaaacfb619c2b517524c646

                                            • C:\Users\Admin\AppData\Local\Temp\6duSsQqWjw.bat

                                              Filesize

                                              225B

                                              MD5

                                              b8db43950d59d33b301ce5289334c524

                                              SHA1

                                              6d2e12ff0ca4b491042ed3c15139915739c9c1ff

                                              SHA256

                                              8873190d01964c01f592b03bf952862ca639fff15c1b926e1e7a3d269e954b20

                                              SHA512

                                              1bc800e05839d47432103f5faed9e028bc92035b12f6e296001f8bb4fe490fb674f4a93d24dd0bc199c3643082bb124605c03243b30f1cb2ee6c9c247b3a766b

                                            • C:\Users\Admin\AppData\Local\Temp\7920eb4f-cf22-4b66-a82b-19ad5ed510fa.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\9fd11f68-b667-4f21-bfd4-1a23413e4931.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\af5c8f99-bc44-435b-b255-a4049cf272b4.vbs

                                              Filesize

                                              735B

                                              MD5

                                              fa94d1e3e259ee0f921f3a23d1eb42da

                                              SHA1

                                              12cbb1eb58bea6490a32d076a2df2e9c2ccfa405

                                              SHA256

                                              99e3b77a0b3616c91fd83b3dd20eca775dd1b1516994d2307d2b1133713a3fc8

                                              SHA512

                                              b45de7e3414398ac7f8d3b0854713ab3ad77563bf895f0848c19dabed448899932d895aa25779fb415ed92693096f2592d2e5a0916f4836bb326091da2f7acf2

                                            • C:\Users\Admin\AppData\Local\Temp\c334203c-f3a8-49b0-bd6b-7b0ca72b947b.vbs

                                              Filesize

                                              736B

                                              MD5

                                              b333efd4eba715f6ab7e7de7abb08683

                                              SHA1

                                              0ba0d56132680b5b7bc47066cba159440f6a1d6a

                                              SHA256

                                              5068da928326ba676c020ed59121d1bc7d398ede0b4439135f2002241f7ac54c

                                              SHA512

                                              e4a33146e96e07414619e1e3a5148e48b121198631694fb403e17518b2f449c166a0b32d265cd2a0f45f81cfc39de96e648640b864125cdb55e1e3b95b9664cd

                                            • C:\Users\Admin\AppData\Local\Temp\c45932db-425b-48ca-9063-ad2734cf808c.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • C:\Users\Admin\AppData\Local\Temp\d86c347e-9dad-4cd7-ac18-51ea8ce513f9.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\debcb75f-be70-45c6-b46a-3b8d32ec91d9.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\e3007ba6-efe9-4452-9159-8a9acbf15039.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\e43a469b-893c-417d-8ab7-4f7bf027ec9b.vbs

                                              Filesize

                                              512B

                                              MD5

                                              941528fb958adec2b55a4c03d35bdd04

                                              SHA1

                                              d911920e590c86e68debfd48dc6805f635c44aa9

                                              SHA256

                                              8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544

                                              SHA512

                                              5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

                                            • C:\Users\Admin\AppData\Local\Temp\e6ec34ea-fbdb-4f6a-9803-c8ff588e6b37.vbs

                                              Filesize

                                              736B

                                              MD5

                                              b77e7e684a3d983929bafa8ccc16ef78

                                              SHA1

                                              34a08ada212b2bd57847cf80144c345a8badfd81

                                              SHA256

                                              2745062dea6a2c57e4591ea516dc8e5914344296010707f891d665d36fc78108

                                              SHA512

                                              ca5466cb094b058c918749de09069c37815ca67f0c6d116e1966f3806603e463a74db2b18b41c306182ae8a5cef14baa62f3a3c5fc3c98b2e369484a8694610e

                                            • C:\Windows\it-IT\System.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              20ec8d347f674ebadc53399ef6aa49cb

                                              SHA1

                                              f418d228eb276f216b4986b55b2c762d11991a31

                                              SHA256

                                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                              SHA512

                                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                            • memory/680-125-0x0000000002710000-0x0000000002790000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/680-123-0x0000000000B30000-0x0000000000E9A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/680-124-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/680-136-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1512-78-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1512-68-0x000000001B380000-0x000000001B400000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/1512-67-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1512-66-0x0000000000EB0000-0x000000000121A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/1804-154-0x0000000000600000-0x0000000000680000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/1804-165-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1804-153-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2600-94-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2600-105-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2856-109-0x00000000009D0000-0x00000000009E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2856-121-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2856-110-0x000000001AF20000-0x000000001AF76000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/2856-107-0x00000000001B0000-0x000000000051A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2856-108-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2860-151-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2860-138-0x0000000000C40000-0x0000000000FAA000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2860-139-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2860-140-0x000000001AC80000-0x000000001AD00000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/3012-81-0x000000001B230000-0x000000001B2B0000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/3012-80-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/3012-92-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/3024-27-0x00000000025F0000-0x00000000025F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-12-0x00000000008C0000-0x00000000008CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-20-0x0000000000B10000-0x0000000000B18000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-18-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-21-0x0000000000B20000-0x0000000000B32000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3024-22-0x0000000000B30000-0x0000000000B3C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-16-0x0000000000A90000-0x0000000000AE6000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/3024-23-0x0000000002580000-0x000000000258C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-24-0x0000000002590000-0x0000000002598000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-25-0x00000000025A0000-0x00000000025AC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-0-0x00000000003A0000-0x000000000070A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/3024-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3024-14-0x00000000008F0000-0x0000000000900000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3024-26-0x00000000025B0000-0x00000000025BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-13-0x00000000008E0000-0x00000000008E8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-35-0x0000000002640000-0x0000000002648000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-28-0x00000000025C0000-0x00000000025CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-30-0x00000000025E0000-0x00000000025EE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3024-19-0x0000000000B00000-0x0000000000B0C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-11-0x00000000008D0000-0x00000000008E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3024-29-0x00000000025D0000-0x00000000025DA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3024-10-0x00000000008B0000-0x00000000008B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-32-0x0000000002610000-0x000000000261E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3024-9-0x0000000000890000-0x00000000008A6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/3024-8-0x0000000000880000-0x0000000000890000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3024-7-0x0000000000390000-0x0000000000398000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-31-0x0000000002600000-0x0000000002608000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-6-0x0000000000280000-0x000000000029C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/3024-33-0x0000000002620000-0x0000000002628000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-5-0x0000000000270000-0x0000000000278000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3024-63-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/3024-34-0x0000000002630000-0x000000000263C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-37-0x000000001AB70000-0x000000001AB7C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3024-4-0x0000000000260000-0x000000000026E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3024-36-0x000000001AB60000-0x000000001AB6A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3024-3-0x0000000000250000-0x000000000025E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3024-2-0x000000001B510000-0x000000001B590000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/3024-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

                                              Filesize

                                              9.9MB