Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 01:01

General

  • Target

    0924b9eca922c9227c4f426be5174bae.exe

  • Size

    4.8MB

  • MD5

    0924b9eca922c9227c4f426be5174bae

  • SHA1

    8d2abdecd0fc744ee836d75ad5c3b52585d8041f

  • SHA256

    e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

  • SHA512

    47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2

  • SSDEEP

    49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/

Malware Config

Signatures

  • DcRat 55 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
  • DCRat payload 32 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe
    "C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\driversessioncrt\winRefMonitor.exe
          "C:\driversessioncrt\winRefMonitor.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2304
          • C:\Users\Default User\Idle.exe
            "C:\Users\Default User\Idle.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2884
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f496a16-fc3b-4cc0-8652-ae7f58aa0eaf.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1216
              • C:\Users\Default User\Idle.exe
                "C:\Users\Default User\Idle.exe"
                7⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1552
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d14c06b-8378-4731-b165-4807a2518949.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2108
                  • C:\Users\Default User\Idle.exe
                    "C:\Users\Default User\Idle.exe"
                    9⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2568
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a0d647-ff7e-49cb-9934-340a5d72a931.vbs"
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1460
                      • C:\Users\Default User\Idle.exe
                        "C:\Users\Default User\Idle.exe"
                        11⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2440
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7fb275-0fc6-42a5-9b5f-1c8c08fc1351.vbs"
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1788
                          • C:\Users\Default User\Idle.exe
                            "C:\Users\Default User\Idle.exe"
                            13⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:2176
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35bec90-31dc-46b3-8696-fb9d5f90b5cc.vbs"
                              14⤵
                                PID:2600
                                • C:\Users\Default User\Idle.exe
                                  "C:\Users\Default User\Idle.exe"
                                  15⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:1512
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a591c9e4-ff40-4f7f-aa46-d91683971f20.vbs"
                                    16⤵
                                      PID:2412
                                      • C:\Users\Default User\Idle.exe
                                        "C:\Users\Default User\Idle.exe"
                                        17⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:2300
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4386507-e143-426a-8a68-8e9952d04003.vbs"
                                          18⤵
                                            PID:1428
                                            • C:\Users\Default User\Idle.exe
                                              "C:\Users\Default User\Idle.exe"
                                              19⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:2464
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08d09c4-c313-4eb6-8a44-8c465bbbbe03.vbs"
                                                20⤵
                                                  PID:1596
                                                  • C:\Users\Default User\Idle.exe
                                                    "C:\Users\Default User\Idle.exe"
                                                    21⤵
                                                    • UAC bypass
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:1400
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41113b90-1b69-459b-ac26-23d086d89439.vbs"
                                                      22⤵
                                                        PID:1600
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34ebc9b-80a3-4361-afb8-3067b4282ee9.vbs"
                                                        22⤵
                                                          PID:2456
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71cde320-ff3e-4e44-b296-91a77191491a.vbs"
                                                      20⤵
                                                        PID:1980
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9114eb4-1a01-47a1-8f54-3c71d0b607fd.vbs"
                                                    18⤵
                                                      PID:2904
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f46b3da-4289-4cd9-a01f-e769fe45c79d.vbs"
                                                  16⤵
                                                    PID:3016
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b58bb03-84ed-41ef-9258-91ec62b1f6a5.vbs"
                                                14⤵
                                                  PID:2232
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\910e23da-a579-4e41-9d81-7afe33bd8605.vbs"
                                              12⤵
                                                PID:1000
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb7e341-36b1-4fa3-aaa1-61cb70739857.vbs"
                                            10⤵
                                              PID:2376
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs"
                                          8⤵
                                            PID:1500
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fdf753-e3ad-46b6-9559-ee2e7e90e770.vbs"
                                        6⤵
                                          PID:2868
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                      4⤵
                                      • Modifies registry key
                                      PID:768
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"
                                  2⤵
                                    PID:2476
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1956
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1872
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:276
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1884
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1972
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2056
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1948
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2512
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:692
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\winlogon.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2064
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1644
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1552
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\driversessioncrt\System.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2308
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2612
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2192
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2164
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:524
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:624
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2652
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2976
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2008
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2644
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1120
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1996
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1148
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1300
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:956
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1844
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2096
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:868
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:584
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1460
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2200
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1332
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2520
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2760
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\lsm.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1412
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1360
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2680
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2240
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1508
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2624
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2800
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2584
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:3024
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1892
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1916
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2552
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2804
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2480
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2376
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2356
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2268
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2312

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\1d14c06b-8378-4731-b165-4807a2518949.vbs

                                        Filesize

                                        706B

                                        MD5

                                        803097664d2b47bb181ad16b1efd0265

                                        SHA1

                                        5bd24cdf0730739e4c592a740d6fd9c7c81f2429

                                        SHA256

                                        da99f178cf10eb76265fa315799d1c616895db5347af425bc74624d52bd6b665

                                        SHA512

                                        22664bb345d1ff6b9d6748f4e7b7962cfdee39ab58f68c59ec729502e582a98d2a39b7144857a1d5514eba771598762eb6b2155b517d61ff2d1afa8b1e8ead42

                                      • C:\Users\Admin\AppData\Local\Temp\1f496a16-fc3b-4cc0-8652-ae7f58aa0eaf.vbs

                                        Filesize

                                        706B

                                        MD5

                                        af14cd157ea3cd99f86fa101a56296dc

                                        SHA1

                                        8d003127e77b51e4a4839071ff57edd682a9c614

                                        SHA256

                                        5a3c5e310dfb2869a2bd25eca2593834f6d99bef899eae91c2ff87f59b9f5c78

                                        SHA512

                                        b4ce19496e962c1e5894482c82bd0b926b0c9d4350563b2ff706fd2a7376fece52aa17359d93ae6eefbd8da9df960576feb938c1ea95a94f9931093bee6c75a8

                                      • C:\Users\Admin\AppData\Local\Temp\1fb7e341-36b1-4fa3-aaa1-61cb70739857.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\24a0d647-ff7e-49cb-9934-340a5d72a931.vbs

                                        Filesize

                                        706B

                                        MD5

                                        f7fe6de5015506801350a7bccedb0c66

                                        SHA1

                                        9ed234ac8dd6a064cfc2d4f5496cc5d0b422ba28

                                        SHA256

                                        9840921768030374b20bc9e61420e07440b8a6f2f3e38ab62bcb998c0fd7c600

                                        SHA512

                                        ba5047e541e53a6af553b4c7e97059d83f89449dc12bb18f82780eda41a87a467fcd20af804f1a58531582201c4a47773ba66f23af5281466f0c6e0cd51f48de

                                      • C:\Users\Admin\AppData\Local\Temp\41113b90-1b69-459b-ac26-23d086d89439.vbs

                                        Filesize

                                        706B

                                        MD5

                                        0fc91bda12256de30d9feacc9a3947c0

                                        SHA1

                                        6fa4bae559c5aaf586bc5f16230e0cb7820c62af

                                        SHA256

                                        45847ac06526de9eef77d8bded1595488875633b851c7a591e6143a0b8f1eb0a

                                        SHA512

                                        d14ed2f29556d2b1cb3eff47365b3b0bc2ebf384a7a09cfffc7330f411db3192cf09da3eba859eebb4a27ee2b4fe968e615104567fcffe8450ca193d49f82aa3

                                      • C:\Users\Admin\AppData\Local\Temp\5b58bb03-84ed-41ef-9258-91ec62b1f6a5.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\71cde320-ff3e-4e44-b296-91a77191491a.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\7d7fb275-0fc6-42a5-9b5f-1c8c08fc1351.vbs

                                        Filesize

                                        706B

                                        MD5

                                        c575ea1bab586499ed030a88b0b032f9

                                        SHA1

                                        98cedd108b82c5fab3e60a09c7174abcf14acc6e

                                        SHA256

                                        8b77d8bfa8e93ecd9b35b6957c2e162ab54a39bf53fe3133083d082566bbfc4a

                                        SHA512

                                        c2d144668a478f82bfc781dfc69669911de2a5eb01ad4c7c464ead2c5b3d7bc8c864c7ec98768c7054395f92b9eb4654ec87ffea72a3b1ec8a89d648d6a7e1ca

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Admin\AppData\Local\Temp\8f46b3da-4289-4cd9-a01f-e769fe45c79d.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\910e23da-a579-4e41-9d81-7afe33bd8605.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\a4386507-e143-426a-8a68-8e9952d04003.vbs

                                        Filesize

                                        706B

                                        MD5

                                        9ee13cbb111f6d31347095a54d366596

                                        SHA1

                                        55ec550aaed63fb331c55d4c0afa3c4f87d81500

                                        SHA256

                                        ff634b14e2bc36852410165f3f0a2cd2c1c2faa4f41a10d0e459799e426bfa96

                                        SHA512

                                        59ad95306617853f2cf0c3cd619af307a170e6bdefdd775a78fe61cc44df24ce0f213a628136dfc640e8670722f29e84d9dbbdb584b5a1d8fae70761a91da266

                                      • C:\Users\Admin\AppData\Local\Temp\a591c9e4-ff40-4f7f-aa46-d91683971f20.vbs

                                        Filesize

                                        706B

                                        MD5

                                        5254277bb8994bafb66633a81d58e3e2

                                        SHA1

                                        41675568a9a2d669d64b81d0d1fd3d3dab815204

                                        SHA256

                                        c33ae29b8af1929c835b868f6808923c77b0388b7cb229de405c40b8757f13d8

                                        SHA512

                                        39bdc00189ec74c8cdcef1c20460badb4f2153a511ad18c4df4af777075171bb25b07c5879447e7f6518af9ef678f0e0e3ceaefdb1b2ce5c8f3e54c0441d652c

                                      • C:\Users\Admin\AppData\Local\Temp\b08d09c4-c313-4eb6-8a44-8c465bbbbe03.vbs

                                        Filesize

                                        706B

                                        MD5

                                        42ba3b0ea5e6ffd5edd8d99b60a1d238

                                        SHA1

                                        3cbd7f766904ca13be699fa343d4a99051dd0e14

                                        SHA256

                                        76a865fbf6da8b850b74c9c529e285d706c5c2699646ed5357187eff18012a31

                                        SHA512

                                        b3f44c6a230f7b47510636197a7b8816993fb80dc297aeb20d3f4aa189457661bd26c94b3f2aac857cb649a0c5057c23b3ac0dffa2f54e9d51ffba308eb0152c

                                      • C:\Users\Admin\AppData\Local\Temp\b9fdf753-e3ad-46b6-9559-ee2e7e90e770.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\c9114eb4-1a01-47a1-8f54-3c71d0b607fd.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\d34ebc9b-80a3-4361-afb8-3067b4282ee9.vbs

                                        Filesize

                                        482B

                                        MD5

                                        f67289236d89602515d18e962b5fc536

                                        SHA1

                                        508b3bedbf20b5f8de85ac7773209ef81d93cf05

                                        SHA256

                                        d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696

                                        SHA512

                                        3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

                                      • C:\Users\Admin\AppData\Local\Temp\d35bec90-31dc-46b3-8696-fb9d5f90b5cc.vbs

                                        Filesize

                                        706B

                                        MD5

                                        cc73c785ea800bdf94275a01d492b44b

                                        SHA1

                                        d3c5eeb4bedac2aaa5f2c8ff23c815ab54e8d373

                                        SHA256

                                        f44370a461586be250e1e4083744e6632a26e4013c94ac74017f9c8a22601cc4

                                        SHA512

                                        35eb31f7d5027d80650f43048571ab4921097bb8c39d5e3945aafea8bf9e40f453e6dd779b9e02a0378a0b072f66f3893c323bcffb861f4fd23e74923c8b66b7

                                      • C:\Users\Default User\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\Users\Default\Idle.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

                                        Filesize

                                        151B

                                        MD5

                                        40a5023d150998b4ba256dd94ea31230

                                        SHA1

                                        36702bfd3e71b3495e61ea589003bb856b959aca

                                        SHA256

                                        e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc

                                        SHA512

                                        6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

                                      • C:\driversessioncrt\file.vbs

                                        Filesize

                                        34B

                                        MD5

                                        677cc4360477c72cb0ce00406a949c61

                                        SHA1

                                        b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                                        SHA256

                                        f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                                        SHA512

                                        7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                                      • C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

                                        Filesize

                                        223B

                                        MD5

                                        d7664d494b1b6e05334ada9accc57d06

                                        SHA1

                                        2cc50d284a600e30287fdef5efe56a586199eb28

                                        SHA256

                                        531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6

                                        SHA512

                                        7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

                                      • C:\driversessioncrt\winRefMonitor.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\driversessioncrt\winRefMonitor.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • C:\driversessioncrt\wininit.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • \driversessioncrt\winRefMonitor.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • \driversessioncrt\winRefMonitor.exe

                                        Filesize

                                        3.4MB

                                        MD5

                                        20ec8d347f674ebadc53399ef6aa49cb

                                        SHA1

                                        f418d228eb276f216b4986b55b2c762d11991a31

                                        SHA256

                                        9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                        SHA512

                                        e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                      • memory/1552-120-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1552-118-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/1552-117-0x0000000000BA0000-0x0000000000F0A000-memory.dmp

                                        Filesize

                                        3.4MB

                                      • memory/1552-119-0x000000001B2D0000-0x000000001B350000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/1552-131-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2176-164-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2176-165-0x0000000000E10000-0x000000000117A000-memory.dmp

                                        Filesize

                                        3.4MB

                                      • memory/2176-166-0x000000001B1B0000-0x000000001B230000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/2176-167-0x00000000006C0000-0x00000000006D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2304-34-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2304-102-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2304-57-0x000000001AB90000-0x000000001AB9C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-56-0x000000001AB80000-0x000000001AB8A000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2304-55-0x000000001AB70000-0x000000001AB78000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-54-0x000000001AB60000-0x000000001AB6C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-53-0x000000001AB50000-0x000000001AB58000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-52-0x000000001AB40000-0x000000001AB4E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2304-51-0x000000001AB30000-0x000000001AB38000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-50-0x000000001AB10000-0x000000001AB1E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2304-49-0x000000001AAF0000-0x000000001AAFA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2304-48-0x000000001AB00000-0x000000001AB0C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-47-0x000000001AB20000-0x000000001AB28000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-46-0x0000000001270000-0x000000000127C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-45-0x0000000001260000-0x000000000126C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-44-0x0000000001250000-0x0000000001258000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-43-0x0000000001240000-0x000000000124C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-42-0x0000000001230000-0x000000000123C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-41-0x0000000001200000-0x0000000001212000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2304-40-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-39-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-38-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-37-0x0000000000B30000-0x0000000000B3C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-36-0x0000000000AE0000-0x0000000000B36000-memory.dmp

                                        Filesize

                                        344KB

                                      • memory/2304-35-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2304-33-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-32-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2304-31-0x00000000005F0000-0x0000000000602000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2304-30-0x00000000005E0000-0x00000000005E8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-29-0x00000000005C0000-0x00000000005D6000-memory.dmp

                                        Filesize

                                        88KB

                                      • memory/2304-28-0x0000000000580000-0x0000000000590000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2304-27-0x0000000000360000-0x0000000000368000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-26-0x00000000005A0000-0x00000000005BC000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2304-25-0x0000000000260000-0x0000000000268000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2304-24-0x0000000000250000-0x000000000025E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2304-23-0x0000000000240000-0x000000000024E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2304-22-0x000000001B190000-0x000000001B210000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/2304-21-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2304-20-0x0000000001380000-0x00000000016EA000-memory.dmp

                                        Filesize

                                        3.4MB

                                      • memory/2440-150-0x000000001B1D0000-0x000000001B250000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/2440-148-0x00000000000A0000-0x000000000040A000-memory.dmp

                                        Filesize

                                        3.4MB

                                      • memory/2440-151-0x0000000002190000-0x00000000021A2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2440-162-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2440-149-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2568-133-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2568-146-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2568-135-0x00000000024E0000-0x00000000024F2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2568-134-0x000000001B1B0000-0x000000001B230000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/2732-0-0x0000000000BC0000-0x0000000000FE8000-memory.dmp

                                        Filesize

                                        4.2MB

                                      • memory/2732-12-0x0000000000BC0000-0x0000000000FE8000-memory.dmp

                                        Filesize

                                        4.2MB

                                      • memory/2884-115-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2884-105-0x0000000002360000-0x0000000002372000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2884-104-0x00000000006E0000-0x00000000006F2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2884-103-0x000000001B370000-0x000000001B3F0000-memory.dmp

                                        Filesize

                                        512KB

                                      • memory/2884-101-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2884-100-0x0000000000810000-0x0000000000B7A000-memory.dmp

                                        Filesize

                                        3.4MB