Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 23:57

General

  • Target

    83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe

  • Size

    4.9MB

  • MD5

    c373114b88515ff2956327bf7e65f898

  • SHA1

    56a5b38dbd5a456719b0d429e253a946313a4895

  • SHA256

    83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099

  • SHA512

    47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe
    "C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
      "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:396
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4168a809-0c5c-446f-9422-24333cf4321f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
          "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1136
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42d2aa3-a12b-48af-ab57-6dc8a356cf78.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
              "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2712
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55618d34-8e8d-4608-9725-e2894be7e94b.vbs"
                7⤵
                  PID:2172
                  • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                    "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2908
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b891d9da-ce65-41b8-ad1d-4b211ee555f6.vbs"
                      9⤵
                        PID:2688
                        • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                          "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                          10⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2108
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61117d-66ed-43c0-8cc9-e1dd6a2f76a7.vbs"
                            11⤵
                              PID:2768
                              • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                12⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:1940
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05dc9605-5aed-4b6b-9514-b07f2c3f5614.vbs"
                                  13⤵
                                    PID:1156
                                    • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                      "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                      14⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2692
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce88c35-906b-49f9-8b91-f6462be76330.vbs"
                                        15⤵
                                          PID:1780
                                          • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                            "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                            16⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:1604
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480b9a70-d1a8-46f8-b5ca-db49d3bb8943.vbs"
                                              17⤵
                                                PID:316
                                                • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                  "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                  18⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:1980
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5abf60e7-be24-4994-8b10-5aff32bf3b13.vbs"
                                                    19⤵
                                                      PID:2700
                                                      • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                        "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                        20⤵
                                                        • UAC bypass
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:348
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b34bd7-631b-4176-b227-ad541a38129b.vbs"
                                                          21⤵
                                                            PID:1660
                                                            • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                              "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                              22⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1296
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebcaa934-05f7-467f-b38b-aa8731e20cf4.vbs"
                                                                23⤵
                                                                  PID:1528
                                                                  • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                                    "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                                    24⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:1836
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d0460c-1f17-4e74-9055-22cc88a635ce.vbs"
                                                                      25⤵
                                                                        PID:1760
                                                                        • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                                          "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                                          26⤵
                                                                          • UAC bypass
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:2840
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11cda63-1733-487f-9881-ddf64eaf8df9.vbs"
                                                                            27⤵
                                                                              PID:1560
                                                                              • C:\Program Files\DVD Maker\de-DE\sppsvc.exe
                                                                                "C:\Program Files\DVD Maker\de-DE\sppsvc.exe"
                                                                                28⤵
                                                                                • UAC bypass
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:1056
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6340a7fd-e481-40a5-9496-949061b8e034.vbs"
                                                                                  29⤵
                                                                                    PID:2448
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1db9dc-7ebf-49e1-9c79-5834dddb55e3.vbs"
                                                                                    29⤵
                                                                                      PID:952
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f07690-e989-4cef-b7c4-694832cb2844.vbs"
                                                                                  27⤵
                                                                                    PID:2524
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463cc1a1-faa2-4fca-b0e9-cf8d0591249a.vbs"
                                                                                25⤵
                                                                                  PID:2416
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c7de44-41b8-428a-ab2e-a71543bfc0b8.vbs"
                                                                              23⤵
                                                                                PID:3048
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3622f946-46af-4490-97cc-9d4ebd9873d3.vbs"
                                                                            21⤵
                                                                              PID:1004
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39b2a71-20db-4e8f-a005-43ebf728796e.vbs"
                                                                          19⤵
                                                                            PID:1692
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a5e709b-a857-42a1-b4ec-62af5d655acd.vbs"
                                                                        17⤵
                                                                          PID:1480
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96b43c8-9127-4861-8dcd-3c251e9d9a0b.vbs"
                                                                      15⤵
                                                                        PID:2204
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa84f080-67c3-49e0-809b-e98a36ad5093.vbs"
                                                                    13⤵
                                                                      PID:2012
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1eed196-bab8-409d-b0a3-dcec040cfa94.vbs"
                                                                  11⤵
                                                                    PID:2324
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a9a3141-19e2-4b92-a63b-321d87cd0d32.vbs"
                                                                9⤵
                                                                  PID:2824
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016fee74-0d97-4640-be63-e7977b3d04d2.vbs"
                                                              7⤵
                                                                PID:2472
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0c2139-8e56-47c5-a85c-282eccd9736d.vbs"
                                                            5⤵
                                                              PID:1744
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce009a05-6605-40f5-bc74-8a2c2e4cccea.vbs"
                                                          3⤵
                                                            PID:2772
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2704
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2852
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2768
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2600
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2644
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2724
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2424
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1808
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2956
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2572
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2108
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1624
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2788
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2588
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2872
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2888
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2992
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1788
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:984
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:396
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2368
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\system\wininit.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1448
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:372
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1168
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1480
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:532
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3052
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\csrss.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3048
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2500
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2584
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2008
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:992
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:448
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2436
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1932
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1548
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1740
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1660
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1868
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1540
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:848
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:956
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1536
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2468
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1720
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2544
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2356
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1760
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\sppsvc.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1724
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1056
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2080
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1744
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2520
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2548

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\MSOCache\All Users\services.exe

                                                        Filesize

                                                        4.9MB

                                                        MD5

                                                        c373114b88515ff2956327bf7e65f898

                                                        SHA1

                                                        56a5b38dbd5a456719b0d429e253a946313a4895

                                                        SHA256

                                                        83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099

                                                        SHA512

                                                        47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b

                                                      • C:\Program Files\Reference Assemblies\spoolsv.exe

                                                        Filesize

                                                        4.9MB

                                                        MD5

                                                        5399086aaf8216803bfb6b126aee396a

                                                        SHA1

                                                        f19bccda72834717eb112b2f33fb6a17d89af756

                                                        SHA256

                                                        5e2df70b00f8f24ad5d3396f75c16c4df89ae7fa818bfd0218a2e25e97723382

                                                        SHA512

                                                        a5b8cbb840cadc0b956435e942b673ef51aaeba692ff3d7638d5afc1097a95939f2e7cd796e03f8f8b4c3d8ed6868ff4b5f4a28b05dc912df567c34091eaa63c

                                                      • C:\Users\Admin\AppData\Local\Temp\05dc9605-5aed-4b6b-9514-b07f2c3f5614.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        99d6a65530148081dc6f3c06554502c6

                                                        SHA1

                                                        0f8d9ffcad9d178a089a232e42f8488a363d5297

                                                        SHA256

                                                        c92e0713e6e082d6a15002be97eb34ad40d7e48b19a877c08f45c7f4ea395420

                                                        SHA512

                                                        757d62228915a1fe2ab8a6f98470aa8884ce9e5872022293c81720cc8493c22c6a18750c24b5b8d3659be55ab90206090644bcfec8015323391d6ee5debe7e84

                                                      • C:\Users\Admin\AppData\Local\Temp\0a61117d-66ed-43c0-8cc9-e1dd6a2f76a7.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        7b5d7f382185a820beb3ceace5b774ae

                                                        SHA1

                                                        02ee1e38419d01c30efa73e02c706496150d8f77

                                                        SHA256

                                                        2002120ccae5ef05dcf0fa16e81587b619ad91e3389910f3b3c4f6e4eacedfde

                                                        SHA512

                                                        a38284c48fb0fe5a9a0101a023d7098f5d121d9889e84703066a4ff2f8bf9d0fae807b47ca29e78ea45d2cc3e27ea884402fedf09fedb21a162bb257de114978

                                                      • C:\Users\Admin\AppData\Local\Temp\4168a809-0c5c-446f-9422-24333cf4321f.vbs

                                                        Filesize

                                                        718B

                                                        MD5

                                                        a6dac5d4b628c7268849e42c7180662a

                                                        SHA1

                                                        e465dfa5d0553bfb5dcfdc981c4d05b7ff0d5933

                                                        SHA256

                                                        0c2f34b201106bddfd3b7e5c9b9243ab06c4752f9d98e563ee52b2f4d994992d

                                                        SHA512

                                                        807e7c13f8406e45fd3c3a94daa70d3aebb7f7d8f989c1ca7c2ca55e56ab062b557889260b780f166c75f89433e1133eb6630f2a6d384fb11523d2fdcda73d2f

                                                      • C:\Users\Admin\AppData\Local\Temp\480b9a70-d1a8-46f8-b5ca-db49d3bb8943.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        8cdbf1bd743ef622ab88341a2c36fbe4

                                                        SHA1

                                                        b70a4b093457534c295796e5c2391ae084c2067a

                                                        SHA256

                                                        8eae7e25f4681f83b206376db00c58ea917f0d2c70a7cddbc2b54b4a6eb03e34

                                                        SHA512

                                                        15cadf745c97e44cd762711846820a09630963d68a01375af0d1ebe5634a80dee14b1c0760fa1938690efb3a83f4bdc26335022033338d31059c8fbb6cf79d16

                                                      • C:\Users\Admin\AppData\Local\Temp\48d0460c-1f17-4e74-9055-22cc88a635ce.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        3526ca0b6de24f1ecd4b10ac7f068406

                                                        SHA1

                                                        361a4ccb376305872ff1f6d39cfdde2e9fa37401

                                                        SHA256

                                                        d9b9bfe51007bce3f995be18d86bcedfc44ff7e6d183e2f1e598557bbf0c56ce

                                                        SHA512

                                                        8543889603db841750bd58d390648b1961840f2402035353d3904a296799c58898607f812277fc3628362e055e6842f4f269216c6fb82f314e2ce017fc1a9c57

                                                      • C:\Users\Admin\AppData\Local\Temp\55618d34-8e8d-4608-9725-e2894be7e94b.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        62ff6edc1f190e6775071618f3fdbea5

                                                        SHA1

                                                        abb43364459153315d9bad3cdead84c97e657cc2

                                                        SHA256

                                                        9117b0cce774f348fa4ef62cb6c91b70f20e49898bc8ea4a656b48f9db187ebd

                                                        SHA512

                                                        ac90fe844cdae1ab6ce818a01b898c43a87a9ddaf4dd03d2aaf626700097943eb330600641a2395c0fc263250db7372170246bf4696227075687c5c9bca6b39f

                                                      • C:\Users\Admin\AppData\Local\Temp\5abf60e7-be24-4994-8b10-5aff32bf3b13.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        7322bd66f14f3ebda6212ea87180afa8

                                                        SHA1

                                                        9e10336dac690f4f477f8b2c4a54f92909b69ed9

                                                        SHA256

                                                        1f84686c30d74afd65a30aec47e778c9eb34b3a4c74a0e78358e11c4c79e6e82

                                                        SHA512

                                                        73cf03fa1e17d9e4922cc8e78b19d39557ad4486c85b168eaa735339ea35a7246be014af575a304367d5b3689cf717732b3849e80f26e235e5d57512e92332c8

                                                      • C:\Users\Admin\AppData\Local\Temp\b891d9da-ce65-41b8-ad1d-4b211ee555f6.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        2fe06ba9f2696566a0a145cdd872cc04

                                                        SHA1

                                                        90b467e41efa030aa11a8507571c6d34a77f4f4a

                                                        SHA256

                                                        da32991a8103352b2209694009eeda9855ed1eeef47f72b8e54c0f885f72d932

                                                        SHA512

                                                        2a7748d2599861bad7b6d411840d03328a7f727fbab7b8cac985cf51770e2b9563641014aeeda3caba9279edbac3c60d3f7c935f71464ac87144c5ca40d45a17

                                                      • C:\Users\Admin\AppData\Local\Temp\ce009a05-6605-40f5-bc74-8a2c2e4cccea.vbs

                                                        Filesize

                                                        495B

                                                        MD5

                                                        39ff076509dbfdc6423bed6c8ed3e947

                                                        SHA1

                                                        17032ec9938327b8d06055bbae040171d715a052

                                                        SHA256

                                                        71cb905f0dcbf96f79de3fb6d5186a74a5177b7d19c7e41c8a1d239791b6cd00

                                                        SHA512

                                                        8fccb3ad8789633f5758da912a25ebd12b3519e6908cb02b5cb080af138b5d2231373f19149d702d9eeefe305d8f5d102fad57f12c32f7591642bd229408ce46

                                                      • C:\Users\Admin\AppData\Local\Temp\d11cda63-1733-487f-9881-ddf64eaf8df9.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        69b1c01002ef36e8ed3b44ad9bba773d

                                                        SHA1

                                                        3f5522280dc033f861a994e394e438962e4a07a1

                                                        SHA256

                                                        cccdffd960f43832557b0d714b853dbf7ff59cf205ffbbe7016775c919d901ef

                                                        SHA512

                                                        d571e3d2d1b5b34ee371d2d6d750e57c18f65b862c3560fbfed1c8306d3d7dbc50c80712e183d295a081f7d8af94af362f78f63d987ef8fcd6e682da27f55da2

                                                      • C:\Users\Admin\AppData\Local\Temp\d42d2aa3-a12b-48af-ab57-6dc8a356cf78.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        6af8a90404d791b489681a732ba66c1b

                                                        SHA1

                                                        12df339e4feae27149a3c74fb5b0ff3bbcb4e5ed

                                                        SHA256

                                                        5ba72da5091595eb32cbfa48bb3323b7deea6b4c9fae49f753c684da6acfd135

                                                        SHA512

                                                        31f77515b532a47d0686d3c8e828582735ea46002282900089ffa8f5eea83d688cace82599c7ad13d69abcbd5e2037cf4f0c2207814b68c96d035bdb44ace00e

                                                      • C:\Users\Admin\AppData\Local\Temp\dce88c35-906b-49f9-8b91-f6462be76330.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        ddd0a456537c28d36588e25345cb5854

                                                        SHA1

                                                        a9740f7846ec4ef7d29bc4793a0754481c3ed62f

                                                        SHA256

                                                        24e8a86920da543aacc05645ec31aa581e5abdd16c9202958a2c8b1bd0ad75f4

                                                        SHA512

                                                        07a1d508f3ae4bf426e74dd28049ea5bcfb3f3e88dec07930e9afc17e44d200f1272b3ab3f623a20986bcdc63c325ed05bb2c6226f62fcaeede733da026f567d

                                                      • C:\Users\Admin\AppData\Local\Temp\ebcaa934-05f7-467f-b38b-aa8731e20cf4.vbs

                                                        Filesize

                                                        719B

                                                        MD5

                                                        0aa061bee821bbedc7c9e20aa4af36a1

                                                        SHA1

                                                        a5bcc9e5f6f7130fffc0b601b94cb1629573bec6

                                                        SHA256

                                                        5f1b4b305f89d239325368a04cf5f684664a720f118804b29b46890ea7938c6c

                                                        SHA512

                                                        d9ffa7f52d0e2f65de827d95a675772520cfa56241c3634827ed8b2de4eff22a9af7584e65c8d6ee7b6dc0095ef3a4d785d9d12caa11f074e8ce1bd5833927ca

                                                      • C:\Users\Admin\AppData\Local\Temp\f4b34bd7-631b-4176-b227-ad541a38129b.vbs

                                                        Filesize

                                                        718B

                                                        MD5

                                                        761370f9c911d9f7fe424ee74f42d925

                                                        SHA1

                                                        c593271c4bc9ead43d0f60b9ae4f5d70623c03bf

                                                        SHA256

                                                        3caa5dcad8fa7710b39397d8fd7e0a9230ac99fc0128db5ea9605b7e799b5c06

                                                        SHA512

                                                        1d62b6a34ca3acc67e483441fe65b80afda96f35c68352de4e2a7cc5fc4becfc390fb12f9ce11650746b36fb6713af02b1b1b9cddb633b142652ce35864d4288

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpCB0C.tmp.exe

                                                        Filesize

                                                        75KB

                                                        MD5

                                                        e0a68b98992c1699876f818a22b5b907

                                                        SHA1

                                                        d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                        SHA256

                                                        2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                        SHA512

                                                        856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        c95bc7771cbdc5e398ea848d55b605c9

                                                        SHA1

                                                        f3f06a740d307f9f7f840fd3c76f1c987287df22

                                                        SHA256

                                                        ab370e3fba08f688c3ee98e06006831f02dd8fae773ce05f4b5a3e85aff9a4c4

                                                        SHA512

                                                        c44abcef986fb978af3d9daa31d36bc7fd3dd19eed68ed33d0f272e2f67ca468349d002137891c1f7c5aa763c4206e20c08cfd8bc958bfbf055ba45043d1b7cf

                                                      • memory/396-221-0x0000000001270000-0x0000000001764000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/396-243-0x00000000005A0000-0x00000000005B2000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/1136-257-0x00000000005A0000-0x00000000005B2000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/1836-398-0x00000000001A0000-0x0000000000694000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2340-181-0x000000001B600000-0x000000001B8E2000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2340-186-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2840-413-0x0000000000E60000-0x0000000001354000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2932-16-0x00000000006C0000-0x00000000006CC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2932-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2932-9-0x0000000000600000-0x000000000060A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/2932-14-0x00000000006A0000-0x00000000006A8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2932-13-0x0000000000690000-0x000000000069E000-memory.dmp

                                                        Filesize

                                                        56KB

                                                      • memory/2932-136-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2932-12-0x0000000000680000-0x000000000068E000-memory.dmp

                                                        Filesize

                                                        56KB

                                                      • memory/2932-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2932-242-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2932-150-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2932-8-0x00000000005F0000-0x0000000000600000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2932-7-0x00000000003C0000-0x00000000003D6000-memory.dmp

                                                        Filesize

                                                        88KB

                                                      • memory/2932-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2932-5-0x0000000000290000-0x0000000000298000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2932-4-0x0000000000390000-0x00000000003AC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/2932-3-0x000000001B7A0000-0x000000001B8CE000-memory.dmp

                                                        Filesize

                                                        1.2MB

                                                      • memory/2932-10-0x0000000000650000-0x0000000000662000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2932-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2932-11-0x0000000000670000-0x000000000067A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/2932-1-0x00000000008F0000-0x0000000000DE4000-memory.dmp

                                                        Filesize

                                                        5.0MB