Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 02:57

General

  • Target

    NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

  • Size

    1.4MB

  • MD5

    5e2ccb97d6bf2f8bedd6d473079c33b0

  • SHA1

    699314bf74a661917771308e7cd6d6b618af2827

  • SHA256

    6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

  • SHA512

    0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Users\All Users\Documents\smss.exe
      "C:\Users\All Users\Documents\smss.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1600
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c016ce-e911-468c-8b5b-9258fff19634.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Users\All Users\Documents\smss.exe
          "C:\Users\All Users\Documents\smss.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2792
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1e8466-88bd-41ef-9e26-a0c5b746ecc5.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Users\All Users\Documents\smss.exe
              "C:\Users\All Users\Documents\smss.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2828
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4823b02f-678b-49ce-b8c3-efa8c15d028c.vbs"
                7⤵
                  PID:2428
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\283103aa-2958-4c01-82e5-36c16518f179.vbs"
                  7⤵
                    PID:1620
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs"
                5⤵
                  PID:2696
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a1127d-ec24-45d1-9edf-6832273bb0a7.vbs"
              3⤵
                PID:1628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1264
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3068

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe

                  Filesize

                  1.4MB

                  MD5

                  40b8ab027d105aef6ee81351cbf33e01

                  SHA1

                  d58d8d96d96b41965e8ae67d0956157c0ce7a9d7

                  SHA256

                  9d26d8ab136e6703a8e98cb36847b879bc9284da2ade8792d1f85ecdf600b02c

                  SHA512

                  2c50c1238c731f6fb546cda371a4cdbcb6e58fecb92e14321217155a3c55dc2dffad34ea5271a1069c33b44d87775d453701b47e243336eb83d9869190d76e0c

                • C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Admin\AppData\Local\Temp\0f1e8466-88bd-41ef-9e26-a0c5b746ecc5.vbs

                  Filesize

                  713B

                  MD5

                  cebd39c9e4f83323f870f0a926bb9507

                  SHA1

                  229916c57c503b9f5deb269a5bb13d5fa92f574a

                  SHA256

                  0db7f2c37d1ce5a476acb3975f8b64d93a1071257c483696e8b58db82bc6382d

                  SHA512

                  e5e7e34846fba1eff398336d933293d119f3255e9baaf3d69bbb98ca0e92cef0a969c9836b304df2f2481c26658c114c176075ef328212e3442e14fda6c7bcbe

                • C:\Users\Admin\AppData\Local\Temp\283103aa-2958-4c01-82e5-36c16518f179.vbs

                  Filesize

                  489B

                  MD5

                  ff5b97fb6306c641466d345413c11681

                  SHA1

                  8645270aa952670b602b443516931ad7b5fffe04

                  SHA256

                  5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639

                  SHA512

                  04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

                • C:\Users\Admin\AppData\Local\Temp\4823b02f-678b-49ce-b8c3-efa8c15d028c.vbs

                  Filesize

                  713B

                  MD5

                  312bb5bc5578762f5103fc9dd52a9cda

                  SHA1

                  8268048dde68f3a9adefc1985b421c01c782586d

                  SHA256

                  3e94ff29e3645c26ff2ef289cd2e6ffbc0d0f83aa3071ae652259a76721a7c05

                  SHA512

                  a1418d2e305b48b8277dca299dc3dd7d1e6e8878374371a2d480f271388634b319a67e646fd0d4f9eb4319b4d8f5d86cc34d48a9918f8ef4edc98ffee6d5c940

                • C:\Users\Admin\AppData\Local\Temp\59a1127d-ec24-45d1-9edf-6832273bb0a7.vbs

                  Filesize

                  489B

                  MD5

                  ff5b97fb6306c641466d345413c11681

                  SHA1

                  8645270aa952670b602b443516931ad7b5fffe04

                  SHA256

                  5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639

                  SHA512

                  04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

                • C:\Users\Admin\AppData\Local\Temp\60c016ce-e911-468c-8b5b-9258fff19634.vbs

                  Filesize

                  713B

                  MD5

                  76626e8ba1160dfbd543304eea886658

                  SHA1

                  590612efde4ec67322f0e0c5d7c81d2788f4d5cb

                  SHA256

                  5c0c925cc7db33998430377e00bc30ffa968c7654b357f8d0ac85cef86674b25

                  SHA512

                  233d0476b74e56544c7ff0f703cfb6187b5d52b5e3a7e58baddf18401593233089cde386da9a100c39be1253d90022d428149c1bbabbb63d5390282702ff0905

                • C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs

                  Filesize

                  489B

                  MD5

                  ff5b97fb6306c641466d345413c11681

                  SHA1

                  8645270aa952670b602b443516931ad7b5fffe04

                  SHA256

                  5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639

                  SHA512

                  04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

                • C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs

                  Filesize

                  489B

                  MD5

                  ff5b97fb6306c641466d345413c11681

                  SHA1

                  8645270aa952670b602b443516931ad7b5fffe04

                  SHA256

                  5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639

                  SHA512

                  04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

                • C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KQYPVYHCJY6ZSDUUPIHJ.temp

                  Filesize

                  7KB

                  MD5

                  3f21815d5378acb11617b0a9d0dab29a

                  SHA1

                  15ae09559113259f5ee4f4580dd6cd07ee73a81b

                  SHA256

                  5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9

                  SHA512

                  eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

                • C:\Users\All Users\Documents\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Public\Documents\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Public\Documents\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Public\Documents\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • memory/1204-199-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/1260-184-0x00000000026F4000-0x00000000026F7000-memory.dmp

                  Filesize

                  12KB

                • memory/1260-186-0x00000000026FB000-0x0000000002762000-memory.dmp

                  Filesize

                  412KB

                • memory/1260-179-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/1320-14-0x000000001A7A0000-0x000000001A7AC000-memory.dmp

                  Filesize

                  48KB

                • memory/1320-159-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1320-66-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-0-0x0000000000D60000-0x0000000000ECC000-memory.dmp

                  Filesize

                  1.4MB

                • memory/1320-54-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-12-0x000000001A780000-0x000000001A78C000-memory.dmp

                  Filesize

                  48KB

                • memory/1320-16-0x000000001A7B0000-0x000000001A7BA000-memory.dmp

                  Filesize

                  40KB

                • memory/1320-11-0x000000001A770000-0x000000001A77C000-memory.dmp

                  Filesize

                  48KB

                • memory/1320-37-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-15-0x000000001A8E0000-0x000000001A8E8000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-33-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-24-0x000000001AD00000-0x000000001AD0C000-memory.dmp

                  Filesize

                  48KB

                • memory/1320-23-0x000000001ACF0000-0x000000001ACFA000-memory.dmp

                  Filesize

                  40KB

                • memory/1320-10-0x00000000022E0000-0x00000000022EA000-memory.dmp

                  Filesize

                  40KB

                • memory/1320-22-0x000000001ACE0000-0x000000001ACE8000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-13-0x000000001A790000-0x000000001A798000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-9-0x00000000022D0000-0x00000000022E0000-memory.dmp

                  Filesize

                  64KB

                • memory/1320-8-0x0000000000D40000-0x0000000000D56000-memory.dmp

                  Filesize

                  88KB

                • memory/1320-7-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

                  Filesize

                  64KB

                • memory/1320-21-0x000000001A900000-0x000000001A90C000-memory.dmp

                  Filesize

                  48KB

                • memory/1320-6-0x0000000000B90000-0x0000000000B98000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-5-0x0000000000B70000-0x0000000000B8C000-memory.dmp

                  Filesize

                  112KB

                • memory/1320-4-0x0000000000560000-0x0000000000568000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-3-0x0000000000160000-0x000000000016E000-memory.dmp

                  Filesize

                  56KB

                • memory/1320-20-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-19-0x000000001A8F0000-0x000000001A8FE000-memory.dmp

                  Filesize

                  56KB

                • memory/1320-18-0x000000001A7D0000-0x000000001A7D8000-memory.dmp

                  Filesize

                  32KB

                • memory/1320-2-0x000000001B200000-0x000000001B280000-memory.dmp

                  Filesize

                  512KB

                • memory/1320-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1320-17-0x000000001A7C0000-0x000000001A7CE000-memory.dmp

                  Filesize

                  56KB

                • memory/1600-134-0x0000000000E30000-0x0000000000F9C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/1600-194-0x000000001B2E0000-0x000000001B360000-memory.dmp

                  Filesize

                  512KB

                • memory/2036-200-0x00000000026A0000-0x0000000002720000-memory.dmp

                  Filesize

                  512KB

                • memory/2036-197-0x00000000026A4000-0x00000000026A7000-memory.dmp

                  Filesize

                  12KB

                • memory/2036-195-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2160-187-0x00000000025C4000-0x00000000025C7000-memory.dmp

                  Filesize

                  12KB

                • memory/2160-183-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2160-185-0x00000000025C0000-0x0000000002640000-memory.dmp

                  Filesize

                  512KB

                • memory/2160-189-0x00000000025CB000-0x0000000002632000-memory.dmp

                  Filesize

                  412KB

                • memory/2216-176-0x0000000002614000-0x0000000002617000-memory.dmp

                  Filesize

                  12KB

                • memory/2216-171-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2216-178-0x000000000261B000-0x0000000002682000-memory.dmp

                  Filesize

                  412KB

                • memory/2216-175-0x0000000002610000-0x0000000002690000-memory.dmp

                  Filesize

                  512KB

                • memory/2236-177-0x00000000024B4000-0x00000000024B7000-memory.dmp

                  Filesize

                  12KB

                • memory/2236-173-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2236-181-0x00000000024BB000-0x0000000002522000-memory.dmp

                  Filesize

                  412KB

                • memory/2312-198-0x0000000002760000-0x00000000027E0000-memory.dmp

                  Filesize

                  512KB

                • memory/2312-196-0x0000000002764000-0x0000000002767000-memory.dmp

                  Filesize

                  12KB

                • memory/2312-190-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2312-192-0x0000000002760000-0x00000000027E0000-memory.dmp

                  Filesize

                  512KB

                • memory/2440-174-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2440-180-0x0000000002474000-0x0000000002477000-memory.dmp

                  Filesize

                  12KB

                • memory/2440-172-0x0000000002470000-0x00000000024F0000-memory.dmp

                  Filesize

                  512KB

                • memory/2440-170-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2440-182-0x000000000247B000-0x00000000024E2000-memory.dmp

                  Filesize

                  412KB

                • memory/2988-193-0x0000000002ABB000-0x0000000002B22000-memory.dmp

                  Filesize

                  412KB

                • memory/2988-191-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

                  Filesize

                  12KB

                • memory/2988-188-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2988-169-0x0000000001E50000-0x0000000001E58000-memory.dmp

                  Filesize

                  32KB

                • memory/2988-168-0x000000001B3A0000-0x000000001B682000-memory.dmp

                  Filesize

                  2.9MB