Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2023, 00:21

General

  • Target

    20ec8d347f674ebadc53399ef6aa49cb.exe

  • Size

    3.4MB

  • MD5

    20ec8d347f674ebadc53399ef6aa49cb

  • SHA1

    f418d228eb276f216b4986b55b2c762d11991a31

  • SHA256

    9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

  • SHA512

    e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

  • SSDEEP

    49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ

Malware Config

Signatures

  • DcRat 59 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
  • DCRat payload 20 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • System policy modification 1 TTPs 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe
    "C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gLRQn5jy2W.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2728
        • C:\Recovery\WindowsRE\Idle.exe
          "C:\Recovery\WindowsRE\Idle.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3840
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\327d7c89-d934-45bb-922f-f703e4be55af.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Recovery\WindowsRE\Idle.exe
              C:\Recovery\WindowsRE\Idle.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4580
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8998bce-3d4f-4009-9c0e-8859ba9e4e69.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3928
                • C:\Recovery\WindowsRE\Idle.exe
                  C:\Recovery\WindowsRE\Idle.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1432
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\280fb390-02cf-4940-8bb4-69894669b0d2.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:212
                    • C:\Recovery\WindowsRE\Idle.exe
                      C:\Recovery\WindowsRE\Idle.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3756
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4476a622-1239-419c-b12b-b6fd93def516.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2728
                        • C:\Recovery\WindowsRE\Idle.exe
                          C:\Recovery\WindowsRE\Idle.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2480
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444a57c1-dd60-404b-ba4d-5dfd0391b452.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4264
                            • C:\Recovery\WindowsRE\Idle.exe
                              C:\Recovery\WindowsRE\Idle.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:3276
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af648bd0-9af2-4566-bd36-ab77e32f2b77.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4764
                                • C:\Recovery\WindowsRE\Idle.exe
                                  C:\Recovery\WindowsRE\Idle.exe
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:3928
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8613c36d-90fd-44f6-bcf1-a7f4daa67318.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3916
                                    • C:\Recovery\WindowsRE\Idle.exe
                                      C:\Recovery\WindowsRE\Idle.exe
                                      17⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:4344
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca8a3790-a6e7-40c1-bc29-9e5df56f381e.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:884
                                        • C:\Recovery\WindowsRE\Idle.exe
                                          C:\Recovery\WindowsRE\Idle.exe
                                          19⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:2300
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dbcc325-c951-4d65-9c86-32a0bdca3b2e.vbs"
                                            20⤵
                                              PID:4236
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efdf0b09-e918-4bb2-84df-5455f3c8ade8.vbs"
                                              20⤵
                                                PID:2848
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93a1958-dab5-4132-a428-abebcca164c4.vbs"
                                            18⤵
                                              PID:4936
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54b8b15f-5f75-4b0c-bf4d-3daec22dc83d.vbs"
                                          16⤵
                                            PID:2664
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb6e415c-b047-4c37-b09d-4ca051d12f13.vbs"
                                        14⤵
                                          PID:3868
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbe1fe4-5f7b-429e-b978-d6b1210415b7.vbs"
                                      12⤵
                                        PID:4712
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730e9bea-b176-43ad-bad1-6cbd98c3f3cd.vbs"
                                    10⤵
                                      PID:4992
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc7277b3-a0f4-4206-b080-bbf008e3b930.vbs"
                                  8⤵
                                    PID:4584
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs"
                                6⤵
                                  PID:3464
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\890a8615-d6c4-40c9-b70e-85a087ce95af.vbs"
                              4⤵
                                PID:4268
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4572
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5052
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3824
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1940
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2416
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4768
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1964
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4232
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2632
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1808
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4100
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3500
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:320
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3416
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1792
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2300
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3316
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1456
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:884
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5028
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:396
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1208
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1556
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\spoolsv.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3140
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1252
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1800
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4268
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3984
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3216
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4872
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2852
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4380
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3372
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4728
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2924
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsass.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4560
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4780
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1796
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2692
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4948
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4452
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3928
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1316
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2612
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:536
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1068
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5000
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3460
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3996
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3368
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4828
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1240
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:700
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:872
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2960
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2928

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\WindowsHolographicDevices\OfficeClickToRun.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Recovery\WindowsRE\Idle.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

                                Filesize

                                1KB

                                MD5

                                49b64127208271d8f797256057d0b006

                                SHA1

                                b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                                SHA256

                                2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                                SHA512

                                f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                              • C:\Users\Admin\AppData\Local\Temp\280fb390-02cf-4940-8bb4-69894669b0d2.vbs

                                Filesize

                                706B

                                MD5

                                a32163308b7c7c65325f10614f00babf

                                SHA1

                                d789b82a033dc7721f17651fbf430ef67bce38ac

                                SHA256

                                a520c5d5bf2cf19b5b6d485192d9deecbb84a4bdb86861e48a44b0a63b732ac8

                                SHA512

                                649dd943668c9995f85bbd71d63d590fa1e95b0a699f0b64dca55e5f31930b9a56d2c3ba0ea3d52115a58dd8630cccd0b55661e76b82f3eec6232995fb5ecc1f

                              • C:\Users\Admin\AppData\Local\Temp\2dbcc325-c951-4d65-9c86-32a0bdca3b2e.vbs

                                Filesize

                                706B

                                MD5

                                0123a3feebc04de019335c4d2ebf8be7

                                SHA1

                                ff3b83d575dafae7b76247dd4c68197ec7b4b1c6

                                SHA256

                                5504f7a63995932fe5f059f28c74c548c9cb69ca937d64472336d41ba999e2bc

                                SHA512

                                f04956eeaeefa745d3ab2185928d66cc8410e881b2857354de0d0e23246b2991c6f294c3047201584dcda0a513a884b495ccf4844782cc39d3cca8ac006c7206

                              • C:\Users\Admin\AppData\Local\Temp\327d7c89-d934-45bb-922f-f703e4be55af.vbs

                                Filesize

                                706B

                                MD5

                                9c0778de2ff06827464a84a2450cc3ad

                                SHA1

                                685667a52b25babc302f5a410310d70c1589b0ac

                                SHA256

                                6893f416819ee06870e6b87164193910f8a1ddab0218737dcd416e16870b2414

                                SHA512

                                d821cda6d008a16a4844fc479be04a94a0b9e8deddb43d14e83005e6ca4c5182d5a2db681137125bbf6108672f528ec5bbd729333d83cb4fe9b9fdbff53596a7

                              • C:\Users\Admin\AppData\Local\Temp\444a57c1-dd60-404b-ba4d-5dfd0391b452.vbs

                                Filesize

                                706B

                                MD5

                                f1981cded8c737feff3c0df65d841968

                                SHA1

                                5e02aa4e8b6e522b60b2b301da3c7ba3d37524aa

                                SHA256

                                41191250ed6b77849d403cfaecc043e86ccf9ec25674d495ec04647b1795d426

                                SHA512

                                e97d9dc8534e69103d5b532bbc37225aff27b40c2ac3debeb72934776d023f9a27c7e04458cecb52e58c8b1aaa81b969a79b577291f8184e3494fe9f2dd0a19e

                              • C:\Users\Admin\AppData\Local\Temp\4476a622-1239-419c-b12b-b6fd93def516.vbs

                                Filesize

                                706B

                                MD5

                                a67b70ea5afd738b4ad2a3e724da5d40

                                SHA1

                                e99d42a6eebe4003d1482cb5f62cf8d84681967f

                                SHA256

                                3e5fc79f7144242b07470796a5412a441ef6c14f11ed2d0c6a138ada26167274

                                SHA512

                                aba154c10995978332397e1e7f529bd5ec42bb44869747e28a5d309a5235e1a99946a4df559b31c01b9a8065a733327cbf86f89afa8efdf5c1d4263efe38f3f4

                              • C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\54b8b15f-5f75-4b0c-bf4d-3daec22dc83d.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

                                Filesize

                                3.4MB

                                MD5

                                20ec8d347f674ebadc53399ef6aa49cb

                                SHA1

                                f418d228eb276f216b4986b55b2c762d11991a31

                                SHA256

                                9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                SHA512

                                e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                              • C:\Users\Admin\AppData\Local\Temp\730e9bea-b176-43ad-bad1-6cbd98c3f3cd.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\8613c36d-90fd-44f6-bcf1-a7f4daa67318.vbs

                                Filesize

                                706B

                                MD5

                                6660635041bc83949ed6d29065c97492

                                SHA1

                                4d9699342582ef91ef9223b5df15ced539959028

                                SHA256

                                cdfcd6d0d3bd63b4f3c5f0dd95defe4e6f18a5926e1f6de3154912dfeb180de9

                                SHA512

                                0215af55a8dd9f81be4dc9e13474c08c92005f00322eed52e07d55f7c86d8080ccb706bf530127e094406c2978770005683806d84c78e13d914a560c5e8e01cf

                              • C:\Users\Admin\AppData\Local\Temp\890a8615-d6c4-40c9-b70e-85a087ce95af.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\af648bd0-9af2-4566-bd36-ab77e32f2b77.vbs

                                Filesize

                                706B

                                MD5

                                77ee81e221338d48988c781fd958057e

                                SHA1

                                201444d030b8eb444c5f876ff39a3de783b10971

                                SHA256

                                d5ee4fd6ebd981926610464e24341b446fb8a9f1e4ddb996ea338ee249ec6180

                                SHA512

                                5120825640b14dccb6b807985f780171bead8fb355fb0cf43a7324d55293a6240e9978bef8f49decff0e2c48fb09ecb44ee23e0c62dfb90c6725104ea9e2587e

                              • C:\Users\Admin\AppData\Local\Temp\bc7277b3-a0f4-4206-b080-bbf008e3b930.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\bcbe1fe4-5f7b-429e-b978-d6b1210415b7.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\c8998bce-3d4f-4009-9c0e-8859ba9e4e69.vbs

                                Filesize

                                706B

                                MD5

                                9071e6059286afe0ef7772ea202441da

                                SHA1

                                9f690276214537b14129e3b5d7b940052f5b4b92

                                SHA256

                                e8e766a0e8c90a22563d2937b010f887224759e67603e2339976129cf4169724

                                SHA512

                                7997723841139ea3e6d41a8f975b51cc97f5236decf84f87921b1694b991122db1c05ab6400450561802e626c945a6e64456da90022ea56a17a7733cf2d20eb4

                              • C:\Users\Admin\AppData\Local\Temp\ca8a3790-a6e7-40c1-bc29-9e5df56f381e.vbs

                                Filesize

                                706B

                                MD5

                                eef485156adaac0047dc106227efed52

                                SHA1

                                3dd18ff24e98aeee8243b4f0f04ddbdcb5747d8f

                                SHA256

                                c9826d70ba7e04fb1ec653cf3803268c15ab4b9f24b00fca9efb0a0053426b1b

                                SHA512

                                6c7c63f79c33c03a68047c58c6427025a6b5fcadbbd60a64569f6f2f249b53ab1a2950b77e4a9e72e4f206d800eb14f01265befef4f2c95f9803bbef6ed828f4

                              • C:\Users\Admin\AppData\Local\Temp\e93a1958-dab5-4132-a428-abebcca164c4.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\eb6e415c-b047-4c37-b09d-4ca051d12f13.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\efdf0b09-e918-4bb2-84df-5455f3c8ade8.vbs

                                Filesize

                                482B

                                MD5

                                9e639d038c856f39aabd1fbd4becc9ef

                                SHA1

                                a89f190f2f235d9039fefd566a814116cb8ca913

                                SHA256

                                29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58

                                SHA512

                                b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

                              • C:\Users\Admin\AppData\Local\Temp\gLRQn5jy2W.bat

                                Filesize

                                195B

                                MD5

                                8bd2b7ede91ecfc7b58052536f2b7ec7

                                SHA1

                                04172e6c52259f4a9c195cd473a5e85b343deab3

                                SHA256

                                a8cd99a539aa1622ce415f6126e457fa03a5397a962f18b1c403c87d2daed57a

                                SHA512

                                822e2e954a9528103fdd62a62fff36e93672be1bb42a5ff9ce3cb8c213f8e8828befd667d6980ad3a12bf63434f9c35bf6f5a1b60a449143ae01bee2f329ff6f

                              • memory/1432-129-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1432-117-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1432-118-0x00000000019B0000-0x00000000019C0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1612-26-0x000000001BD80000-0x000000001BD88000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-0-0x0000000000390000-0x00000000006FA000-memory.dmp

                                Filesize

                                3.4MB

                              • memory/1612-1-0x00007FFE6E7F0000-0x00007FFE6F2B1000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1612-2-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1612-39-0x000000001C060000-0x000000001C06C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-36-0x000000001C030000-0x000000001C03C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-3-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

                                Filesize

                                56KB

                              • memory/1612-38-0x000000001C050000-0x000000001C05A000-memory.dmp

                                Filesize

                                40KB

                              • memory/1612-37-0x000000001C040000-0x000000001C048000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-4-0x0000000000E30000-0x0000000000E3E000-memory.dmp

                                Filesize

                                56KB

                              • memory/1612-5-0x0000000001090000-0x0000000001098000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-35-0x000000001BE10000-0x000000001BE18000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-34-0x000000001BE00000-0x000000001BE0E000-memory.dmp

                                Filesize

                                56KB

                              • memory/1612-33-0x000000001BDF0000-0x000000001BDF8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-32-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

                                Filesize

                                56KB

                              • memory/1612-6-0x00000000010A0000-0x00000000010BC000-memory.dmp

                                Filesize

                                112KB

                              • memory/1612-31-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

                                Filesize

                                40KB

                              • memory/1612-30-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-29-0x000000001BDB0000-0x000000001BDB8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-28-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-27-0x000000001BD90000-0x000000001BD9C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-17-0x000000001BCB0000-0x000000001BD06000-memory.dmp

                                Filesize

                                344KB

                              • memory/1612-25-0x000000001BD70000-0x000000001BD7C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-24-0x000000001BD60000-0x000000001BD6C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-7-0x00000000029F0000-0x0000000002A40000-memory.dmp

                                Filesize

                                320KB

                              • memory/1612-8-0x00000000010C0000-0x00000000010C8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-23-0x000000001C360000-0x000000001C888000-memory.dmp

                                Filesize

                                5.2MB

                              • memory/1612-22-0x000000001BD30000-0x000000001BD42000-memory.dmp

                                Filesize

                                72KB

                              • memory/1612-21-0x000000001BD20000-0x000000001BD28000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-9-0x00000000010D0000-0x00000000010E0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1612-20-0x000000001BE20000-0x000000001BE2C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-84-0x00007FFE6E7F0000-0x00007FFE6F2B1000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1612-10-0x00000000010E0000-0x00000000010F6000-memory.dmp

                                Filesize

                                88KB

                              • memory/1612-19-0x000000001BD10000-0x000000001BD18000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-18-0x000000001BD00000-0x000000001BD0C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-14-0x0000000001120000-0x0000000001128000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-11-0x0000000001100000-0x0000000001108000-memory.dmp

                                Filesize

                                32KB

                              • memory/1612-15-0x0000000002A40000-0x0000000002A50000-memory.dmp

                                Filesize

                                64KB

                              • memory/1612-12-0x0000000001110000-0x0000000001122000-memory.dmp

                                Filesize

                                72KB

                              • memory/1612-13-0x0000000001130000-0x000000000113C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1612-16-0x0000000002A50000-0x0000000002A5A000-memory.dmp

                                Filesize

                                40KB

                              • memory/2480-145-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2480-157-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2480-146-0x000000001B510000-0x000000001B520000-memory.dmp

                                Filesize

                                64KB

                              • memory/3276-171-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3276-159-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3276-160-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3756-131-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3756-143-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3756-132-0x00000000015D0000-0x00000000015E0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3840-89-0x000000001B5F0000-0x000000001B600000-memory.dmp

                                Filesize

                                64KB

                              • memory/3840-88-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3840-100-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3928-174-0x0000000000FF0000-0x0000000001000000-memory.dmp

                                Filesize

                                64KB

                              • memory/3928-185-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3928-173-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/4344-188-0x000000001BF80000-0x000000001BF90000-memory.dmp

                                Filesize

                                64KB

                              • memory/4344-187-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/4580-115-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/4580-104-0x000000001B750000-0x000000001B760000-memory.dmp

                                Filesize

                                64KB

                              • memory/4580-103-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

                                Filesize

                                10.8MB