Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 12:51

General

  • Target

    16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

  • Size

    4.9MB

  • MD5

    d6c32cc92aff05247e665fec5d1ca5ed

  • SHA1

    864e040db2c99477669bbe45261d8d93ebdba021

  • SHA256

    16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

  • SHA512

    b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2

Malware Config

Signatures

  • DcRat 48 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
    "C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:564
    • C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
      "C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zseo6rLH0D.bat"
        3⤵
          PID:348
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            4⤵
              PID:996
            • C:\Windows\system\System.exe
              "C:\Windows\system\System.exe"
              4⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:1668
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d964f881-43c7-4e1e-9d3d-6d416a322991.vbs"
                5⤵
                  PID:2968
                  • C:\Windows\system\System.exe
                    C:\Windows\system\System.exe
                    6⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2808
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b82b552-8929-4464-a7f2-05f79c5e87d7.vbs"
                      7⤵
                        PID:2908
                        • C:\Windows\system\System.exe
                          C:\Windows\system\System.exe
                          8⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:812
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3374cd-9d99-4fca-b19b-c3040f5f7323.vbs"
                            9⤵
                              PID:1924
                              • C:\Windows\system\System.exe
                                C:\Windows\system\System.exe
                                10⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:1520
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9016b773-8dac-4084-9f7b-36ccae39f18f.vbs"
                                  11⤵
                                    PID:832
                                    • C:\Windows\system\System.exe
                                      C:\Windows\system\System.exe
                                      12⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:1472
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5c96c5c-b6f5-422f-81dc-7609fe4006ce.vbs"
                                        13⤵
                                          PID:1236
                                          • C:\Windows\system\System.exe
                                            C:\Windows\system\System.exe
                                            14⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2912
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d79e3463-723a-42bf-8a09-7a72c8ee771c.vbs"
                                              15⤵
                                                PID:2528
                                                • C:\Windows\system\System.exe
                                                  C:\Windows\system\System.exe
                                                  16⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:2200
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\615da95f-f0a6-44f1-818e-c7940c037c5a.vbs"
                                                    17⤵
                                                      PID:2960
                                                      • C:\Windows\system\System.exe
                                                        C:\Windows\system\System.exe
                                                        18⤵
                                                        • UAC bypass
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1756
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd2c6cd-1c47-4e0d-90fa-4cfdbb9c92a3.vbs"
                                                          19⤵
                                                            PID:1428
                                                            • C:\Windows\system\System.exe
                                                              C:\Windows\system\System.exe
                                                              20⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1480
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7ef1e7-6829-4a70-8a01-0731db8fcaec.vbs"
                                                                21⤵
                                                                  PID:1408
                                                                  • C:\Windows\system\System.exe
                                                                    C:\Windows\system\System.exe
                                                                    22⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:2076
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bef9a72-5224-4907-86eb-2abcb3c387da.vbs"
                                                                      23⤵
                                                                        PID:1508
                                                                        • C:\Windows\system\System.exe
                                                                          C:\Windows\system\System.exe
                                                                          24⤵
                                                                          • UAC bypass
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:1908
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca0a575-c099-4431-9fed-8c0572abb7ca.vbs"
                                                                            25⤵
                                                                              PID:1172
                                                                              • C:\Windows\system\System.exe
                                                                                C:\Windows\system\System.exe
                                                                                26⤵
                                                                                • UAC bypass
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:1004
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90423d8e-7225-45d4-98ea-05435d97a731.vbs"
                                                                                  27⤵
                                                                                    PID:2216
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66ac1c5e-26b6-4754-bb50-3afd81f3e3a9.vbs"
                                                                                    27⤵
                                                                                      PID:1520
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2558fc9-7ea6-4676-b752-67a0340e09dd.vbs"
                                                                                  25⤵
                                                                                    PID:2340
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d195a985-2102-4ede-8a4a-c311ae03f60e.vbs"
                                                                                23⤵
                                                                                  PID:1212
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8fc0df-d739-422b-ad79-fabf6fdaa8c0.vbs"
                                                                              21⤵
                                                                                PID:1176
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8402ffd3-29eb-4354-8fa6-4fe67ca8eb1b.vbs"
                                                                            19⤵
                                                                              PID:328
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56bddca7-0a4c-4497-bf5a-2307cbba1a88.vbs"
                                                                          17⤵
                                                                            PID:1648
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239e3e40-870d-423e-aa8e-af18ff8c3be6.vbs"
                                                                        15⤵
                                                                          PID:2396
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278cfcee-9ff2-4605-b307-85eca6330a24.vbs"
                                                                      13⤵
                                                                        PID:2612
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b12fcb2-274b-4932-9ce5-cf531c70a3e3.vbs"
                                                                    11⤵
                                                                      PID:904
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267fef69-9f61-43f3-81a7-88054fd3eb85.vbs"
                                                                  9⤵
                                                                    PID:956
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59f00af7-d24b-49fd-b5d5-47bf5511d8fc.vbs"
                                                                7⤵
                                                                  PID:1300
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20228fc4-6781-4e22-98f1-8680358c9330.vbs"
                                                              5⤵
                                                                PID:1084
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2712
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2656
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2560
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2664
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2600
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1924
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1724
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2860
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2720
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2924
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:3016
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1280
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2604
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2640
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2288
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2432
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2792
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2292
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:664
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2856
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2808
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1488
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1436
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1676
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1556
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2972
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1704
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2252
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1208
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1832
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1320
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2508
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2044
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:852
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:980
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2612
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1288
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1152
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:280
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\system\System.exe'" /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2160
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2780
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • DcRat
                                                        • Process spawned unexpected child process
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2968

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

                                                        Filesize

                                                        4.9MB

                                                        MD5

                                                        d6c32cc92aff05247e665fec5d1ca5ed

                                                        SHA1

                                                        864e040db2c99477669bbe45261d8d93ebdba021

                                                        SHA256

                                                        16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

                                                        SHA512

                                                        b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

                                                      • C:\Users\Admin\AppData\Local\Temp\20228fc4-6781-4e22-98f1-8680358c9330.vbs

                                                        Filesize

                                                        480B

                                                        MD5

                                                        c11a2cf2d5748e26333b33e37d192bed

                                                        SHA1

                                                        37f19a87edb0a236dbb0cfe33adc04e88f518507

                                                        SHA256

                                                        a6de142c5714b9b3963e7f7e7220911e4999cb703641c7382c7b0a12a1965288

                                                        SHA512

                                                        3f5cf295a540344344ba7b46c8dd87ba19d1edbde037472e461fa18ddc07d80e63adaf13d7d378e7e9d9b1370ccd7b9966f3689100fc2cdf4d5c945f92baad2c

                                                      • C:\Users\Admin\AppData\Local\Temp\2b82b552-8929-4464-a7f2-05f79c5e87d7.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        1527a951113213e35166d93616b9b266

                                                        SHA1

                                                        4f0bd3dd05131d5a50aa78179bcc26d71ea10c56

                                                        SHA256

                                                        824ec3326221b604a03de51a54d2d583e5b8cf428f93f14cf980322b0f06e9b3

                                                        SHA512

                                                        551dae181274c9793b94d42a465c0082b19d183999592a38f8348495474977cf25df9f32a7d84b553a364ada77719d613518d4d62ca59f50715dd7bdb6919f65

                                                      • C:\Users\Admin\AppData\Local\Temp\615da95f-f0a6-44f1-818e-c7940c037c5a.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        52a93e2c4f1847566d50f4807f80cecf

                                                        SHA1

                                                        0a2e0b43e1d6ecb5432e6c17af125731a87c04c2

                                                        SHA256

                                                        c39ed50d7a8511db80d3353e0bf9cf33bc777a8dc421199e4779cce2bf9978fc

                                                        SHA512

                                                        86bde4abe0521a49be7d36408b94c650a66f0329314776c40165902a198e6a8202fbd0910e4f229619dcecd028e383b6e7265f1c58200cbeb7a207575e209714

                                                      • C:\Users\Admin\AppData\Local\Temp\9016b773-8dac-4084-9f7b-36ccae39f18f.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        9aeac4d0d31630b544d7ff67d8e56344

                                                        SHA1

                                                        fb77664f8123cf7a0fb738aa4799870eb9af505b

                                                        SHA256

                                                        e8e2ade9246f45d2796c7b3f5d7171ed263229e7adbc37a43603269a36340d54

                                                        SHA512

                                                        0a2b39813afee2a91a71cfdd610219bc85325c04c34ffd778cae20864b02254e07ef20ff3d8cff84b4433a23449dc596d9b06e80cbf4f859283b784d28db9213

                                                      • C:\Users\Admin\AppData\Local\Temp\cc3374cd-9d99-4fca-b19b-c3040f5f7323.vbs

                                                        Filesize

                                                        703B

                                                        MD5

                                                        afdafe86756f82e77f75d430764f963f

                                                        SHA1

                                                        7160d49ec20fd00d9371f7f316105db97c1a7621

                                                        SHA256

                                                        c29bb08155259533ea58a611119b49aa21cbae5e83307348c945763a4a64c357

                                                        SHA512

                                                        ad89b2dae3651db5ae4c57aeeacc02d93778f527c26d56bfb898588e426a34b9e4e62e3050e01d2b10899908603763612bbfbd00d87d7af9f3920e677ca752bc

                                                      • C:\Users\Admin\AppData\Local\Temp\d5c96c5c-b6f5-422f-81dc-7609fe4006ce.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        ac91d37f2257d2446fb71206bde6cb48

                                                        SHA1

                                                        74facf62a3b0bd2c28476f9ac95c198bc2a2eef8

                                                        SHA256

                                                        20a37eaf4c1907af62280ac54fa61c9059c22eab0ede5117f09b4481182d2e6f

                                                        SHA512

                                                        1cac4caa29099613142008bddeb6467d103501db88f6cea03dc7b5493b47930f9ec6de708e0fe04d288fac254471bebd51985ff22d6795cd3d90ed69215615b6

                                                      • C:\Users\Admin\AppData\Local\Temp\d79e3463-723a-42bf-8a09-7a72c8ee771c.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        84a8e9912076e4b98a352a90b3cc24f4

                                                        SHA1

                                                        2777aed06ac94fbe03dddfd261ac60effe7fe4b5

                                                        SHA256

                                                        06689cedf020ba37cd6aed05bc9026dec44a03cb34e4cafefd78a30b7d7af3f8

                                                        SHA512

                                                        ad692aeca547adae4a8fa8435664014a8c2ee20a7f7aaf9c9092e254ddc7d5311f155581d32f69d77a6dc3a650f2fc0d2e3a10d2c4f4a594db8cf3238ca1769b

                                                      • C:\Users\Admin\AppData\Local\Temp\d964f881-43c7-4e1e-9d3d-6d416a322991.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        0f82d3ecfcb94695910b58b0c72cb664

                                                        SHA1

                                                        7e612260d370742b1a20a3b125b5c806d52561f3

                                                        SHA256

                                                        a504356cd4db9e015c034c9b1cfa19bbc89423879d03f3c432627e403043ee0c

                                                        SHA512

                                                        ef49cebce988b3d41f1fc622dee522f3e28b9d2b9ff6e9c9ed9d0d00b0bd473775292f8a63a9c2fa51441841054417c6888080df4536d0d38176e5c8902d69f3

                                                      • C:\Users\Admin\AppData\Local\Temp\dcd2c6cd-1c47-4e0d-90fa-4cfdbb9c92a3.vbs

                                                        Filesize

                                                        704B

                                                        MD5

                                                        11a220ed8d6dd101a154344d0fcad3b1

                                                        SHA1

                                                        77cb09e47f4a22ea96159c703cb3e90e81f7aa2a

                                                        SHA256

                                                        3b30b4381c7f5850a256bfd6566441a4d1357263c1fa262e3a4327f19b75e514

                                                        SHA512

                                                        3d70da94899c97a47614701a99ab7f98b31db062c99a49aa98cb5705eb26cc2b8cfaa9fc54c7ee57ece95fc4389b9978ec4a5a298480ddb8c13080648a53c4ed

                                                      • C:\Users\Admin\AppData\Local\Temp\tmp117E.tmp.exe

                                                        Filesize

                                                        75KB

                                                        MD5

                                                        e0a68b98992c1699876f818a22b5b907

                                                        SHA1

                                                        d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                        SHA256

                                                        2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                        SHA512

                                                        856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                      • C:\Users\Admin\AppData\Local\Temp\zseo6rLH0D.bat

                                                        Filesize

                                                        193B

                                                        MD5

                                                        3e3dd542a5016e66ca4c098ea93a1fcc

                                                        SHA1

                                                        a515a8de7dc3ebb8f8f03b9c053eecb93c15793c

                                                        SHA256

                                                        4a500988e2e85294f603fdfa84bdd309b4f614fd43c70f5298a7bd40a8c233da

                                                        SHA512

                                                        54969334ce745ac49b2b00f44b6d39b0c3197e968e153311e7d2cc461068be33881afc830ddd9257f926e5fd35a652896301e6591dd89c4dda60cd08ebdeb8c3

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        d6dafa34c562c157d8179d04894e77ab

                                                        SHA1

                                                        f3f571d0531c2baa2abb0b382e639fa7f7834713

                                                        SHA256

                                                        f96e0761b37b28c78d804f4e4aeccf5b6802126cb00b80ec9bf207431c7dc0a6

                                                        SHA512

                                                        94db6281b7bf90f2033514556ab48c2c9a7f2849ea841b1f9773be533718d86e629a7014ddddaa7517c09a668e962fc974b603829367fe8fa314a97de19a582a

                                                      • memory/812-288-0x0000000001050000-0x0000000001544000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1004-412-0x0000000001320000-0x0000000001814000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1120-134-0x000000001B650000-0x000000001B932000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/1120-135-0x0000000002890000-0x0000000002898000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/1472-318-0x0000000001250000-0x0000000001744000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1480-377-0x0000000000320000-0x0000000000814000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1520-303-0x00000000000E0000-0x00000000005D4000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1668-259-0x0000000000A30000-0x0000000000F24000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/1908-401-0x0000000000A00000-0x0000000000A12000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/1908-400-0x00000000003B0000-0x00000000008A4000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2076-389-0x0000000000DD0000-0x00000000012C4000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2200-348-0x0000000001160000-0x0000000001654000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2672-9-0x0000000000A10000-0x0000000000A1A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/2672-6-0x00000000007C0000-0x00000000007D0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2672-13-0x0000000000A50000-0x0000000000A5E000-memory.dmp

                                                        Filesize

                                                        56KB

                                                      • memory/2672-12-0x0000000000A40000-0x0000000000A4E000-memory.dmp

                                                        Filesize

                                                        56KB

                                                      • memory/2672-1-0x0000000000120000-0x0000000000614000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2672-11-0x0000000000A30000-0x0000000000A3A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/2672-10-0x0000000000A20000-0x0000000000A32000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2672-104-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2672-0-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2672-7-0x00000000009D0000-0x00000000009E6000-memory.dmp

                                                        Filesize

                                                        88KB

                                                      • memory/2672-8-0x00000000009F0000-0x0000000000A00000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2672-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2672-15-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2672-5-0x0000000000690000-0x0000000000698000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2672-16-0x0000000000C80000-0x0000000000C8C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2672-4-0x00000000007A0000-0x00000000007BC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/2672-2-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2672-3-0x000000001B440000-0x000000001B56E000-memory.dmp

                                                        Filesize

                                                        1.2MB

                                                      • memory/2808-273-0x00000000001D0000-0x00000000006C4000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2912-333-0x0000000000040000-0x0000000000534000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                      • memory/2932-200-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/2932-199-0x000000001B530000-0x000000001B812000-memory.dmp

                                                        Filesize

                                                        2.9MB