Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 21:31

General

  • Target

    456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

  • Size

    4.9MB

  • MD5

    bc6d8c1824fbce3832a86042be6ce8ec

  • SHA1

    5c750a20d9ddeb5be64ba89d220a8657adbce18b

  • SHA256

    456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

  • SHA512

    abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
    "C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
      "C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
        "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2524
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\354bfacf-06f0-4152-9f7c-b1a77dd53ff0.vbs"
          4⤵
            PID:2224
            • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
              "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:3064
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f260e15c-1c3f-4e8f-b9d7-406d47dc240a.vbs"
                6⤵
                  PID:1664
                  • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                    "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2752
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6354b907-5a0e-425e-9cb6-8ababfb61a28.vbs"
                      8⤵
                        PID:1440
                        • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                          "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                          9⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:1616
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8f2fbc8-b7b1-44e4-9a4e-b60c3d7e6657.vbs"
                            10⤵
                              PID:1524
                              • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                11⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:1680
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d995d1-ba5d-4e93-b318-a0d04ca8e468.vbs"
                                  12⤵
                                    PID:920
                                    • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                      "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                      13⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2684
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e862102d-2a37-4ee0-b2b9-07b8974c3c07.vbs"
                                        14⤵
                                          PID:3032
                                          • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                            "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                            15⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:592
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e89509d-6c17-4bd3-8d2a-ddb9c4c2fe20.vbs"
                                              16⤵
                                                PID:2316
                                                • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                                  "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:2904
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a01589e-33a7-4409-809f-d240d359a159.vbs"
                                                    18⤵
                                                      PID:628
                                                      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                                        "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:936
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5eae70-f3c0-442a-a3aa-5e674df4c189.vbs"
                                                          20⤵
                                                            PID:3048
                                                            • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                                              "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:2152
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5fecf9-f2ac-4eb9-8ef8-c6e62ccb4322.vbs"
                                                                22⤵
                                                                  PID:1180
                                                                  • C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe
                                                                    "C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:1184
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3e8d23-32a3-40d3-86cb-50bbdef5577c.vbs"
                                                                      24⤵
                                                                        PID:592
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8979e7ff-708e-47cf-9373-1f410fd16f0d.vbs"
                                                                        24⤵
                                                                          PID:1472
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc7f2509-2c12-4b79-a6be-1c15ebf4d2ff.vbs"
                                                                      22⤵
                                                                        PID:1644
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b1db13-6486-4bd7-acbb-2b7a7fd434af.vbs"
                                                                    20⤵
                                                                      PID:2700
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c06224fb-a27d-4e25-8dea-1372a8e0a168.vbs"
                                                                  18⤵
                                                                    PID:1440
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fe7d63e-1c0e-4400-99af-8285f2dbe595.vbs"
                                                                16⤵
                                                                  PID:2976
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d38ece4-f46a-4185-871d-2f46108ee645.vbs"
                                                              14⤵
                                                                PID:2536
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2765e86c-8aea-4132-a16d-be2b1be0fcf7.vbs"
                                                            12⤵
                                                              PID:2616
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2179b7a-2276-4dde-bc5a-6fd89b518472.vbs"
                                                          10⤵
                                                            PID:1100
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58fbb9cb-13f6-4b20-92a1-b4c9cbf73a5c.vbs"
                                                        8⤵
                                                          PID:2280
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc57696f-8517-4324-9cb3-fb773eec6c55.vbs"
                                                      6⤵
                                                        PID:900
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3439e6d-c6c1-40c5-a54c-f554d28e761e.vbs"
                                                    4⤵
                                                      PID:2800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsm.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2744
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2728
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2916
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2792
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2908
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1932
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2676
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1548
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2124
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a304" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1404
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:316
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a304" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1888
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1456
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2136
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1956
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1448
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:692
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1300
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1100
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1440
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\services.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1016
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2172
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2952
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2108
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1208
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2364
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:552
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1572
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:844
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1976
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1252
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\conhost.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2484
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3028
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2476
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1528
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2716
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2392
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2572
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2316
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2324
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1396
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2256
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:316
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1952
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Architecture\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1968
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\powershell.exe'" /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\addins\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1516
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • DcRat
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2588

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

                                                Filesize

                                                4.9MB

                                                MD5

                                                bc6d8c1824fbce3832a86042be6ce8ec

                                                SHA1

                                                5c750a20d9ddeb5be64ba89d220a8657adbce18b

                                                SHA256

                                                456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

                                                SHA512

                                                abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292

                                              • C:\Users\Admin\AppData\Local\Temp\1a01589e-33a7-4409-809f-d240d359a159.vbs

                                                Filesize

                                                737B

                                                MD5

                                                8a7e782facb9687bc938370c792c9af5

                                                SHA1

                                                ea24b2a85199d1177c8addd75b07ec9091d7d9ae

                                                SHA256

                                                43a6bf5afc483a791d318aacf557a4b674aac1af101f6dbacda53bb1362aaa1a

                                                SHA512

                                                d8845e1cc482a4300f51eb93ac3af2a671f2f86f831171dbe0bf222e55397c6f2d8b27c865397a92373943cda09879553c0904f3123437c83d011656d74dbff1

                                              • C:\Users\Admin\AppData\Local\Temp\354bfacf-06f0-4152-9f7c-b1a77dd53ff0.vbs

                                                Filesize

                                                737B

                                                MD5

                                                36673862516eebed17726179f0426dfe

                                                SHA1

                                                4389b9e67a4c64c6b5a1f608476aa6f7606d66de

                                                SHA256

                                                2e3af1e7a1c625d29020881745084d8bb174b01191c549a95ccdf9d56b91e7c3

                                                SHA512

                                                57dea71ac01eb4dce6eaeec0c73b913879ecafcd955e935313e0e39147263969bb0fc0dc1b69b4c49fd8a51f1373cb99008318887f6a3ce128443d3d35cba54e

                                              • C:\Users\Admin\AppData\Local\Temp\4f5eae70-f3c0-442a-a3aa-5e674df4c189.vbs

                                                Filesize

                                                736B

                                                MD5

                                                04891fcb5bb3c65e17728bb182d9874f

                                                SHA1

                                                e159333d162314b372f524081d79dcc970b1c52f

                                                SHA256

                                                c0fb449c724cfe93a7a32842e469089beff7fe0e04f4bdd064e3ae4b9759f91b

                                                SHA512

                                                2b0fd4866c024da84bdaddd31d02a79bdda23ab56fc9bfd3b05445c22968e7acee9fafd0bce669e5a3693216252f155b3bd0e2971974a15a6cf9af70285a25f3

                                              • C:\Users\Admin\AppData\Local\Temp\5e89509d-6c17-4bd3-8d2a-ddb9c4c2fe20.vbs

                                                Filesize

                                                736B

                                                MD5

                                                03d3aab2a5206084aa593f71712ed4f3

                                                SHA1

                                                8125e80db923fe71ce9d3d7d18bdcfc8852daf4c

                                                SHA256

                                                7c11f3b8f25b326fe15df56dbd40dd797b6ad70eb4a497396ad3d2ed7cd9e09b

                                                SHA512

                                                b84074394d05526eeb5ffe960403f60fae66fcd08dccbd46b0d07d1a5b79e9775a25e4ac9ecfc99e0a56773ac149b96c9136a7ecd207a370e2dd9b3603242f11

                                              • C:\Users\Admin\AppData\Local\Temp\6354b907-5a0e-425e-9cb6-8ababfb61a28.vbs

                                                Filesize

                                                737B

                                                MD5

                                                af0c9ed2f98d0e1ce87838911a959d93

                                                SHA1

                                                545197447282321f464d00d22de4ddd13863431a

                                                SHA256

                                                b63a96059807131a009ca2ea44f58ab2aecc583c40142e11516971b8605f1e57

                                                SHA512

                                                800164e77af8bd1bab568df87b1411b582b7e9667326f2b20f2858ffa30cfb0c08aa5068a8b978a76357deeab03c5fb0dce4e3457eb4627bbe2fb1376d78cef3

                                              • C:\Users\Admin\AppData\Local\Temp\75d995d1-ba5d-4e93-b318-a0d04ca8e468.vbs

                                                Filesize

                                                737B

                                                MD5

                                                ffcf3af890f0b5f7b6d354f88cea00b8

                                                SHA1

                                                3f6df174304d43132cd944278a24265f5fb008ba

                                                SHA256

                                                014d641895dc36350cedaaf6652a4d44771bc89c8f12d8c08cd1f9a0354e29da

                                                SHA512

                                                782ddf4c596263540da831aa779a0741b7f375b15afcf8bba4cbb700b582bc528f022a4dd92941286184904a195caa9b5b4c8ea5316ee830e7e042cd5c700a25

                                              • C:\Users\Admin\AppData\Local\Temp\bf5fecf9-f2ac-4eb9-8ef8-c6e62ccb4322.vbs

                                                Filesize

                                                737B

                                                MD5

                                                d0d26af29f1cdf6c67ef14db68ea7bce

                                                SHA1

                                                c92d089615bd3b0f29f620f40a3c0f59bca02ab6

                                                SHA256

                                                0810b4cc23292f2b3c75596a9ab78379a340d07b063b8d647b82715de5700f68

                                                SHA512

                                                e993d604782945bdd08ae3bf2db6c45e379b408f9510d25fb4df986cbc1a5424f13671c367f3cc95d49c36f2d549d33b20adc2543ac9ec8ff71bbc0b71b08686

                                              • C:\Users\Admin\AppData\Local\Temp\c3439e6d-c6c1-40c5-a54c-f554d28e761e.vbs

                                                Filesize

                                                513B

                                                MD5

                                                a07d26bdcc704b8a6c9d713ff5722053

                                                SHA1

                                                5c0f5fac032978ab49c38a036e7bc71f42f66fed

                                                SHA256

                                                db040ae08c77ab5b7aa35c8be5764d9b80c9e3a31e3d21d64d37ba25b6d4b216

                                                SHA512

                                                9099f6ac1aca99a6a4bec7cffe4365d3d3aee26751bebb568ca3a501d5fa93c8b8fa0c7ce47f3ea79fed7696e483c5ca8d357e45a50804b472123b02f19ed44d

                                              • C:\Users\Admin\AppData\Local\Temp\d8f2fbc8-b7b1-44e4-9a4e-b60c3d7e6657.vbs

                                                Filesize

                                                737B

                                                MD5

                                                5a3291bb08e384d00d4c62ba627c108a

                                                SHA1

                                                71e985d530c6259ce7d773b7afe33ef002763c9f

                                                SHA256

                                                e8356bca13c23573c7395699b6cb0ad8c8a1942cf356099153e3c1a95d46e381

                                                SHA512

                                                a6c15e6468f6f948aa20f1be77a1410970b81c287730fa4ab8c0306571e627db19fb4e15d90fcb41dc6f46ddc2f8ac05d34608f3efdc45e90cfe23ab807a3a91

                                              • C:\Users\Admin\AppData\Local\Temp\e862102d-2a37-4ee0-b2b9-07b8974c3c07.vbs

                                                Filesize

                                                737B

                                                MD5

                                                32bbff66dfd7bb8ba8be0ed87f02a537

                                                SHA1

                                                c80df9fb965730a8b09254a5e4612ed06012b79b

                                                SHA256

                                                27b2283272cf60e9691f9e27f4710e55421dbf567debce6c492841ca30e791e0

                                                SHA512

                                                071b912c0c0e928a7217662e93c1588b3c0fb75bf24052557ea2de68ae7f69e46823f265b74341c1c0a1047d6164529634338be1c9b8ccc0d132f129b78d881e

                                              • C:\Users\Admin\AppData\Local\Temp\f260e15c-1c3f-4e8f-b9d7-406d47dc240a.vbs

                                                Filesize

                                                737B

                                                MD5

                                                47bc2b49abd48d40d54b62da3e2fb352

                                                SHA1

                                                6930a0f2c9a1812689b8e5a8db2f950d311a721c

                                                SHA256

                                                3fe34c6bef2b3017526de7a473baf723dcd92cff3615ec46d146257e4ac4b900

                                                SHA512

                                                cbb47abd915c3c79b56e8eca171ceda468764b77c190e707048c2576d0e26e4091c677a9f8f5628882ecf1d1556b0fa4b457f2cc498255a3e7a10fe7d5e78d14

                                              • C:\Users\Admin\AppData\Local\Temp\tmpD48E.tmp.exe

                                                Filesize

                                                75KB

                                                MD5

                                                e0a68b98992c1699876f818a22b5b907

                                                SHA1

                                                d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                SHA256

                                                2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                SHA512

                                                856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU6D1ZFJINZWE4VAUJ3F.temp

                                                Filesize

                                                7KB

                                                MD5

                                                db9e986f0941f0ebd716af3e03fbb30f

                                                SHA1

                                                dac080a72ed1d1852e47fc77040bd79b411d7642

                                                SHA256

                                                bded16012941dd9b2fc930e1da8cbcede8fddda6c430282fa3e8179295bd0be6

                                                SHA512

                                                bc4e5fe8f277a3422504234df4e6f122be5ed3bb40338ed2d85255df4f5d1daf70c8a4c87c5cbad4ada5bcd62fc6370a22b44d27943c1669847a05cfd5cb152d

                                              • memory/848-136-0x0000000002790000-0x0000000002798000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/848-134-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/936-399-0x00000000002F0000-0x00000000007E4000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/1184-430-0x0000000000800000-0x0000000000CF4000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/2152-415-0x0000000000C10000-0x0000000000C22000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2152-414-0x0000000000140000-0x0000000000634000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/2304-241-0x0000000001F40000-0x0000000001F48000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2304-230-0x000000001B670000-0x000000001B952000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2388-11-0x0000000000520000-0x000000000052A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/2388-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2388-129-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

                                                Filesize

                                                9.9MB

                                              • memory/2388-14-0x00000000006D0000-0x00000000006D8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2388-1-0x0000000000910000-0x0000000000E04000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/2388-16-0x00000000006F0000-0x00000000006FC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2388-15-0x00000000006E0000-0x00000000006E8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2388-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

                                                Filesize

                                                9.9MB

                                              • memory/2388-13-0x00000000006C0000-0x00000000006CE000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/2388-3-0x000000001BCE0000-0x000000001BE0E000-memory.dmp

                                                Filesize

                                                1.2MB

                                              • memory/2388-12-0x0000000000530000-0x000000000053E000-memory.dmp

                                                Filesize

                                                56KB

                                              • memory/2388-4-0x0000000000490000-0x00000000004AC000-memory.dmp

                                                Filesize

                                                112KB

                                              • memory/2388-10-0x0000000000510000-0x0000000000522000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2388-9-0x0000000000500000-0x000000000050A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/2388-8-0x00000000004F0000-0x0000000000500000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/2388-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2388-7-0x00000000004D0000-0x00000000004E6000-memory.dmp

                                                Filesize

                                                88KB

                                              • memory/2388-6-0x00000000004C0000-0x00000000004D0000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/2524-284-0x0000000000CE0000-0x00000000011D4000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/2656-188-0x0000000000620000-0x0000000000632000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2752-313-0x0000000001110000-0x0000000001604000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/2904-384-0x0000000001340000-0x0000000001834000-memory.dmp

                                                Filesize

                                                5.0MB

                                              • memory/3064-298-0x0000000000D70000-0x0000000001264000-memory.dmp

                                                Filesize

                                                5.0MB