Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 04:49

General

  • Target

    NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe

  • Size

    1.4MB

  • MD5

    54df88c3e72b8d4229f6bf6adabef9e0

  • SHA1

    c2c6ff9f9677cdeb3c88e81d97317977ca87e56e

  • SHA256

    12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5

  • SHA512

    9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Za1gsZhFgS.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2868
        • C:\Windows\TAPI\spoolsv.exe
          "C:\Windows\TAPI\spoolsv.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2776
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ed3703-1651-4abe-b12c-f7cf4ca16b17.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:300
            • C:\Windows\TAPI\spoolsv.exe
              C:\Windows\TAPI\spoolsv.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1712
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs"
                6⤵
                  PID:2108
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f4e2f8-be33-4044-94b0-367163e01f37.vbs"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2348
                  • C:\Windows\TAPI\spoolsv.exe
                    C:\Windows\TAPI\spoolsv.exe
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1296
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d46b765-2e98-4fc0-8ada-fa5da1670b9b.vbs"
                      8⤵
                        PID:1528
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2de0cc-e322-4e84-9387-7d98466202ad.vbs"
                        8⤵
                          PID:1976
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3646c697-abdf-416e-8de6-61131759a7ef.vbs"
                  4⤵
                    PID:1744
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3044
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2780
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:856
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2132
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1624
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                2⤵
                  PID:2432
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2240
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1888
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2548
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2872
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2676
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2516
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2560
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2632
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2208
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2492
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2792
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2860
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2804
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:288
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1700
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:540
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1724
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1216
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1368
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\Idle.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:700
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\inf\Idle.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1044
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\Idle.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:576
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:868
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1668
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1660
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1532
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1208
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2280
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2312
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2148
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1076

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\MSOCache\All Users\services.exe

                      Filesize

                      1.4MB

                      MD5

                      54df88c3e72b8d4229f6bf6adabef9e0

                      SHA1

                      c2c6ff9f9677cdeb3c88e81d97317977ca87e56e

                      SHA256

                      12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5

                      SHA512

                      9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

                    • C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      7588612f5989cff445f47ab13f240791

                      SHA1

                      c9110ffb54f8f668df09de7cd31218163c0b8c6c

                      SHA256

                      12ad86590810cda787e267bc97058e233648e03ca31d8823efd8abec4204f297

                      SHA512

                      b5d9623162772cc6e18f15969f19f7a4f9ce180eaeb65dc835f36e4b8bb7d0d4eb6283c73d4527f784ef5527f77956e9a7d5d29d2576084446ca8bfee4cfe5fd

                    • C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs

                      Filesize

                      479B

                      MD5

                      45bbe9c11d10403d41b1cfe12b3fcca9

                      SHA1

                      4a1094953009584629bce888c7c2c72b09614afe

                      SHA256

                      e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4

                      SHA512

                      b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

                    • C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs

                      Filesize

                      479B

                      MD5

                      45bbe9c11d10403d41b1cfe12b3fcca9

                      SHA1

                      4a1094953009584629bce888c7c2c72b09614afe

                      SHA256

                      e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4

                      SHA512

                      b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

                    • C:\Users\Admin\AppData\Local\Temp\3646c697-abdf-416e-8de6-61131759a7ef.vbs

                      Filesize

                      479B

                      MD5

                      45bbe9c11d10403d41b1cfe12b3fcca9

                      SHA1

                      4a1094953009584629bce888c7c2c72b09614afe

                      SHA256

                      e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4

                      SHA512

                      b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

                    • C:\Users\Admin\AppData\Local\Temp\71f4e2f8-be33-4044-94b0-367163e01f37.vbs

                      Filesize

                      703B

                      MD5

                      7ed33e1504bd9e8a33a546eff0583d24

                      SHA1

                      80b39149fbc6211a600a7938d60aecf28a732853

                      SHA256

                      d22742cd38603bd34ff2041601b3380e8f668a179d09409026fdb37165c6ff20

                      SHA512

                      d0c96737fc6652929f4f05f099e5b730ae3b1c966076b3b39f91fff226fa6f5461f4301214911736bf8825b38f7a15f21aa271b6f44f439c93aeeaab87f313aa

                    • C:\Users\Admin\AppData\Local\Temp\79ed3703-1651-4abe-b12c-f7cf4ca16b17.vbs

                      Filesize

                      703B

                      MD5

                      29e0d61c00b8ac4e5be869beca893911

                      SHA1

                      ab82c984010088dce3bc8ed12c1edf0f443f2b93

                      SHA256

                      64cfbaf57ad520f87cf55eccf40f89353d8662b8ffe0563e3243b91c3c1942fd

                      SHA512

                      d057b1b341842afcc14b858020fbe74eb961e1f8f880fe146c029061f4192a4a47265cdc0e27c564da1fba8a77595faefeafcce8bbeba54f20222865cc406164

                    • C:\Users\Admin\AppData\Local\Temp\8f2de0cc-e322-4e84-9387-7d98466202ad.vbs

                      Filesize

                      479B

                      MD5

                      45bbe9c11d10403d41b1cfe12b3fcca9

                      SHA1

                      4a1094953009584629bce888c7c2c72b09614afe

                      SHA256

                      e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4

                      SHA512

                      b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

                    • C:\Users\Admin\AppData\Local\Temp\9d46b765-2e98-4fc0-8ada-fa5da1670b9b.vbs

                      Filesize

                      703B

                      MD5

                      60ce163a25e1362bc96dc3bc307a3d61

                      SHA1

                      efded48e409104dad901b0f107e27cc893bc487d

                      SHA256

                      960d4c57d26dd9f4fe929b4a8e1cc10cf6d9711e385115c17691211d64e77d03

                      SHA512

                      2e522d880c92aaf1f176dd704e90c35da1ed74afd9bb6ffb25f63a6cf4b31674156e7adb38e2a303b96cbb7c9aa4f8ab8972416ca3957cc1eebd16268f0f9cbf

                    • C:\Users\Admin\AppData\Local\Temp\Za1gsZhFgS.bat

                      Filesize

                      192B

                      MD5

                      14a7aa00262b97b8068a9165d7357897

                      SHA1

                      b450e88e116a51c69df117186232c883a55caa98

                      SHA256

                      f7bdb04ac601fa340125748d91e06da23e75f03e1f82412338dd66e781a1c391

                      SHA512

                      f2099d73e3481ab08eca10b8684d3484e7e93e46777b4d5389c105c70fa9422f93f2d1027a2a964cba9c6d212f5f2868b4ccf1d0eb2b655394700a55aaa9bf50

                    • C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G17U6U7JTE2BWCLDJ3CW.temp

                      Filesize

                      7KB

                      MD5

                      a06e7aec2279ad807a2a29b3d144732d

                      SHA1

                      00a8aec3ccc96e383364db832c198e76160037bd

                      SHA256

                      72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91

                      SHA512

                      25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

                    • C:\Windows\TAPI\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Windows\TAPI\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Windows\TAPI\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Windows\TAPI\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • C:\Windows\TAPI\spoolsv.exe

                      Filesize

                      1.4MB

                      MD5

                      85c563bbf1adc4274cfb479052de753f

                      SHA1

                      36ff2ef94abfea537615d076f78ac5b7ce0b248d

                      SHA256

                      4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3

                      SHA512

                      b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

                    • memory/1356-269-0x0000000002984000-0x0000000002987000-memory.dmp

                      Filesize

                      12KB

                    • memory/1356-240-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/1356-252-0x0000000002980000-0x0000000002A00000-memory.dmp

                      Filesize

                      512KB

                    • memory/1356-265-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/1356-241-0x0000000002980000-0x0000000002A00000-memory.dmp

                      Filesize

                      512KB

                    • memory/1624-262-0x0000000002920000-0x00000000029A0000-memory.dmp

                      Filesize

                      512KB

                    • memory/1624-254-0x0000000002920000-0x00000000029A0000-memory.dmp

                      Filesize

                      512KB

                    • memory/1624-267-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/1624-266-0x0000000002920000-0x00000000029A0000-memory.dmp

                      Filesize

                      512KB

                    • memory/1888-264-0x0000000002B90000-0x0000000002C10000-memory.dmp

                      Filesize

                      512KB

                    • memory/1888-247-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/1888-256-0x0000000002B90000-0x0000000002C10000-memory.dmp

                      Filesize

                      512KB

                    • memory/1888-249-0x0000000002B90000-0x0000000002C10000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-22-0x0000000000B30000-0x0000000000B38000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-12-0x0000000000670000-0x000000000067C000-memory.dmp

                      Filesize

                      48KB

                    • memory/2056-1-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2056-179-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-2-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-181-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-209-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2056-174-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-173-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2056-149-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-124-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-112-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-48-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-44-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-35-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-3-0x0000000000140000-0x000000000014E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2056-4-0x0000000000150000-0x0000000000158000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-5-0x00000000003F0000-0x000000000040C000-memory.dmp

                      Filesize

                      112KB

                    • memory/2056-24-0x0000000000B50000-0x0000000000B5C000-memory.dmp

                      Filesize

                      48KB

                    • memory/2056-23-0x0000000000B40000-0x0000000000B4A000-memory.dmp

                      Filesize

                      40KB

                    • memory/2056-6-0x0000000000160000-0x0000000000168000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-0-0x0000000000F60000-0x00000000010CC000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/2056-7-0x0000000000490000-0x00000000004A0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2056-21-0x0000000000B20000-0x0000000000B2C000-memory.dmp

                      Filesize

                      48KB

                    • memory/2056-20-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-8-0x00000000004A0000-0x00000000004B6000-memory.dmp

                      Filesize

                      88KB

                    • memory/2056-9-0x0000000000640000-0x0000000000650000-memory.dmp

                      Filesize

                      64KB

                    • memory/2056-10-0x0000000000650000-0x000000000065A000-memory.dmp

                      Filesize

                      40KB

                    • memory/2056-11-0x0000000000660000-0x000000000066C000-memory.dmp

                      Filesize

                      48KB

                    • memory/2056-13-0x0000000000680000-0x0000000000688000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-17-0x00000000006C0000-0x00000000006CE000-memory.dmp

                      Filesize

                      56KB

                    • memory/2056-196-0x000000001B2F0000-0x000000001B370000-memory.dmp

                      Filesize

                      512KB

                    • memory/2056-18-0x00000000006D0000-0x00000000006D8000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-19-0x00000000006E0000-0x00000000006EE000-memory.dmp

                      Filesize

                      56KB

                    • memory/2056-16-0x00000000006A0000-0x00000000006AA000-memory.dmp

                      Filesize

                      40KB

                    • memory/2056-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

                      Filesize

                      32KB

                    • memory/2056-14-0x0000000000690000-0x000000000069C000-memory.dmp

                      Filesize

                      48KB

                    • memory/2420-253-0x0000000002360000-0x00000000023E0000-memory.dmp

                      Filesize

                      512KB

                    • memory/2420-263-0x0000000002360000-0x00000000023E0000-memory.dmp

                      Filesize

                      512KB

                    • memory/2420-197-0x000000001B290000-0x000000001B572000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/2420-203-0x0000000002410000-0x0000000002418000-memory.dmp

                      Filesize

                      32KB

                    • memory/2420-242-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/2420-243-0x0000000002360000-0x00000000023E0000-memory.dmp

                      Filesize

                      512KB

                    • memory/2420-244-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/2420-255-0x0000000002360000-0x00000000023E0000-memory.dmp

                      Filesize

                      512KB

                    • memory/3040-260-0x00000000027B0000-0x0000000002830000-memory.dmp

                      Filesize

                      512KB

                    • memory/3040-257-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/3040-258-0x00000000027B0000-0x0000000002830000-memory.dmp

                      Filesize

                      512KB

                    • memory/3040-259-0x00000000027B0000-0x0000000002830000-memory.dmp

                      Filesize

                      512KB

                    • memory/3044-268-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                      Filesize

                      9.6MB

                    • memory/3044-261-0x0000000002920000-0x00000000029A0000-memory.dmp

                      Filesize

                      512KB