Analysis

  • max time kernel
    167s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 03:19

General

  • Target

    NEAS.0e28ad7c051feab83c13d21b648a8d60.exe

  • Size

    1.4MB

  • MD5

    0e28ad7c051feab83c13d21b648a8d60

  • SHA1

    ed5e0a9db6860af386c099452870856b649d2841

  • SHA256

    8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

  • SHA512

    68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1856
        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1132
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021a110-1943-4e92-950f-57a501d99bef.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2108
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fdd770e-3515-4faa-a034-ba35e8489e30.vbs"
                6⤵
                  PID:2772
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs"
                  6⤵
                    PID:2448
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ecb051-08ae-45de-9a05-c3a3735e1d76.vbs"
                4⤵
                  PID:876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2524
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1668
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2784
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:872
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1400
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2376
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2288
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2032
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1612
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1684

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe

                  Filesize

                  1.4MB

                  MD5

                  c1a2ec7f8a5c5ba1b62e690fa0ed6397

                  SHA1

                  cd41afe453b08ff0f7d2e6e57629a13eee0c8b48

                  SHA256

                  b30f2be203f8e3672cf25ff816a0b825e03e92c4094ece9a6c72cdb58073ca96

                  SHA512

                  0e874fc1d5dde6f9d051b13568ea970e2b17b4e19e438b09118368ac381d37d20f1a7a98195d1fc25721524ec723951f2f4c1c641e2faeb61b23d5384bba808f

                • C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe

                  Filesize

                  1.4MB

                  MD5

                  472354661a688f47ebeb0ff09c76c11e

                  SHA1

                  f32e7cd84f6a0cedc1b12e3f9df291f007b1f862

                  SHA256

                  6677642ee9c9b3a78ca2de479da5a310d52a6f88c3f53186fb89ef74e22f03cf

                  SHA512

                  5674676bdcc1276e0881f31424ecab742f3cefdedb82ea401d3c3f0d3cf48d91a12466b066c010b0db81004ca6c5c878847a985713ff5ac3a791f8ee4e7b8904

                • C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs

                  Filesize

                  516B

                  MD5

                  05ce8b7bc9ca8386cbb19c2d15e5b720

                  SHA1

                  27c92b391a0902b39ef3b3373d0c917247acfc1f

                  SHA256

                  3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29

                  SHA512

                  eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

                • C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs

                  Filesize

                  516B

                  MD5

                  05ce8b7bc9ca8386cbb19c2d15e5b720

                  SHA1

                  27c92b391a0902b39ef3b3373d0c917247acfc1f

                  SHA256

                  3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29

                  SHA512

                  eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

                • C:\Users\Admin\AppData\Local\Temp\31ecb051-08ae-45de-9a05-c3a3735e1d76.vbs

                  Filesize

                  516B

                  MD5

                  05ce8b7bc9ca8386cbb19c2d15e5b720

                  SHA1

                  27c92b391a0902b39ef3b3373d0c917247acfc1f

                  SHA256

                  3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29

                  SHA512

                  eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

                • C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat

                  Filesize

                  229B

                  MD5

                  66ba54424b123927b07fe80323ced8b0

                  SHA1

                  7b869e62480dcc515f0fbcf91bb9708b3d41380e

                  SHA256

                  8e6e1243667296f11dc9afe13ecc1523124e85caee618e97c3275e23ec2c391f

                  SHA512

                  06309258cdb84496f58958c103f78ff2207adcfe33fc61c2c30f6e41571cd01ba02433a7e1fdfd8013d5dc87cde649468d8d245a4e22d3b2b8b683d3ebf1a86c

                • C:\Users\Admin\AppData\Local\Temp\7fdd770e-3515-4faa-a034-ba35e8489e30.vbs

                  Filesize

                  740B

                  MD5

                  598552cedf323023e5b2389da6174832

                  SHA1

                  cedb410d339f509808c1bbb243aaf0e94d192040

                  SHA256

                  a27666c4363c0f469ef69822fe2e80614adc395b3e1e60d969be2fcf4cfb388a

                  SHA512

                  12c96ad6cf23774747869bd522c227acd638fd97e2b0a3733c187531af848b703c36ba58e16e0dd6d8fe4dd3d23701956f8d816a40353f1d454ab4ab2e33b3e8

                • C:\Users\Admin\AppData\Local\Temp\9102608d4360041de75102797364943e2d4065c2.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Users\Admin\AppData\Local\Temp\b021a110-1943-4e92-950f-57a501d99bef.vbs

                  Filesize

                  740B

                  MD5

                  c5cb7145aba1084a2bb003fe276be624

                  SHA1

                  f57a975bb0d36ec2cf967633e9af48cd8249d9f8

                  SHA256

                  5c8ab84053e19ed31eb32f54c88742c0de606d5f0ae88b087e4f5104d3164a63

                  SHA512

                  a7f74ded3c69512c20965fa28c1af5a2ab87ead3a9d1ff875e52b68976e9a6730358264618eed28e68de1bfcf43b88eda07d1f27ba3ca9b7565cd8e7c280fa3f

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B07MGQ51CEKDSED8IAT0.temp

                  Filesize

                  7KB

                  MD5

                  0b18178cc5c3019be2dbbc9b98c6d864

                  SHA1

                  186161c814eff60afa8f8d1802539dfe0d28c943

                  SHA256

                  bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466

                  SHA512

                  75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

                • C:\Users\Admin\Idle.exe

                  Filesize

                  1.4MB

                  MD5

                  58a85e97a463a1e65893e02cd8d228e7

                  SHA1

                  b8a69533ed4200fc9d8751d2a68f654aca06f267

                  SHA256

                  5e3057040573fa8ff48494b706d98a25c025820f356abaf668c8776e41040e55

                  SHA512

                  a8fe1aa188558d21631542c3de2946482c9f4bc9ba623493219ae16eb544d456adea8574378140027fa9747376b267829d23549fada802c53b805f6b1ee07280

                • C:\Windows\Globalization\RCXA23.tmp

                  Filesize

                  1.4MB

                  MD5

                  89ab8ded0bccd01b0bb6606ce03537ff

                  SHA1

                  31024a017167b7d718eca33966b2c63027909aee

                  SHA256

                  2c02d082eeae6de4b66db36025011896b0756edd58f9e8625840f64d177aefa8

                  SHA512

                  c235567b2e302b06859b9a0176f2be1a698bc6265235372d59d79e6d69b7893c0b21cdf8c11f59accf404e413f6b7f57ecec72bb030d4b134afb220cd7994ba4

                • memory/304-298-0x000000001B330000-0x000000001B612000-memory.dmp

                  Filesize

                  2.9MB

                • memory/304-299-0x0000000001E90000-0x0000000001E98000-memory.dmp

                  Filesize

                  32KB

                • memory/304-300-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB

                • memory/732-302-0x0000000002920000-0x00000000029A0000-memory.dmp

                  Filesize

                  512KB

                • memory/1132-311-0x00000000008A0000-0x0000000000A0C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/1680-309-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2008-21-0x00000000020D0000-0x00000000020DC000-memory.dmp

                  Filesize

                  48KB

                • memory/2008-0-0x00000000000C0000-0x000000000022C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/2008-86-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-90-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-100-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-113-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-52-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-125-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2008-126-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-128-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-129-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-130-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-131-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-132-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-133-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-159-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-160-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-39-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-179-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-24-0x0000000002070000-0x000000000207C000-memory.dmp

                  Filesize

                  48KB

                • memory/2008-193-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-23-0x00000000020F0000-0x00000000020FA000-memory.dmp

                  Filesize

                  40KB

                • memory/2008-240-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-245-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-247-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-246-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-248-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-255-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-22-0x00000000020E0000-0x00000000020E8000-memory.dmp

                  Filesize

                  32KB

                • memory/2008-73-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-20-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-18-0x00000000020B0000-0x00000000020B8000-memory.dmp

                  Filesize

                  32KB

                • memory/2008-19-0x00000000020C0000-0x00000000020CE000-memory.dmp

                  Filesize

                  56KB

                • memory/2008-289-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2008-16-0x0000000002050000-0x000000000205A000-memory.dmp

                  Filesize

                  40KB

                • memory/2008-17-0x0000000002060000-0x000000000206E000-memory.dmp

                  Filesize

                  56KB

                • memory/2008-15-0x00000000006A0000-0x00000000006A8000-memory.dmp

                  Filesize

                  32KB

                • memory/2008-13-0x0000000000680000-0x0000000000688000-memory.dmp

                  Filesize

                  32KB

                • memory/2008-14-0x0000000000690000-0x000000000069C000-memory.dmp

                  Filesize

                  48KB

                • memory/2008-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2008-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

                  Filesize

                  512KB

                • memory/2008-12-0x0000000000670000-0x000000000067C000-memory.dmp

                  Filesize

                  48KB

                • memory/2008-3-0x0000000000440000-0x000000000044E000-memory.dmp

                  Filesize

                  56KB

                • memory/2008-4-0x0000000000450000-0x0000000000458000-memory.dmp

                  Filesize

                  32KB

                • memory/2008-11-0x0000000000660000-0x000000000066C000-memory.dmp

                  Filesize

                  48KB

                • memory/2008-5-0x00000000005F0000-0x000000000060C000-memory.dmp

                  Filesize

                  112KB

                • memory/2008-10-0x0000000000650000-0x000000000065A000-memory.dmp

                  Filesize

                  40KB

                • memory/2008-9-0x0000000000640000-0x0000000000650000-memory.dmp

                  Filesize

                  64KB

                • memory/2008-7-0x0000000000610000-0x0000000000620000-memory.dmp

                  Filesize

                  64KB

                • memory/2008-8-0x0000000000620000-0x0000000000636000-memory.dmp

                  Filesize

                  88KB

                • memory/2008-6-0x0000000000460000-0x0000000000468000-memory.dmp

                  Filesize

                  32KB

                • memory/2184-312-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2488-304-0x0000000002AE0000-0x0000000002B60000-memory.dmp

                  Filesize

                  512KB

                • memory/2488-303-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2544-308-0x00000000029B0000-0x0000000002A30000-memory.dmp

                  Filesize

                  512KB

                • memory/2544-305-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2948-310-0x00000000028E0000-0x0000000002960000-memory.dmp

                  Filesize

                  512KB

                • memory/2948-301-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

                  Filesize

                  9.6MB