Analysis

  • max time kernel
    153s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 06:47

General

  • Target

    NEAS.98a305d83b5bcde92d88eb5f246240c0.exe

  • Size

    1.4MB

  • MD5

    98a305d83b5bcde92d88eb5f246240c0

  • SHA1

    739903e2cb0bb1584fead08bcb41ada2db5bd85f

  • SHA256

    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

  • SHA512

    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:848
        • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
          "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2904
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7860a71e-2d6b-4df2-a91c-ba19937097f8.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
              "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2868
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e326810-9039-4469-93ea-3498edb60573.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2872
                • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
                  "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:848
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aed9f3b-04dc-4541-b8db-52524691d17d.vbs"
                    8⤵
                      PID:1176
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63a2e3ee-5d39-402c-abe1-de13680f406d.vbs"
                      8⤵
                        PID:2364
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b56169be-2461-410c-b1a0-680a1499b4d5.vbs"
                    6⤵
                      PID:1084
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aafa2234-5139-432f-9f58-76ad4a340968.vbs"
                  4⤵
                    PID:2344
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1292
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2596
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2688
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1236
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1964
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1632
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1640
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1888
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2884
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1896
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1140
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1364
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:848
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2200
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1196
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1704
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2328
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2440
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2088

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Program Files (x86)\Uninstall Information\audiodg.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Temp\0aed9f3b-04dc-4541-b8db-52524691d17d.vbs

                    Filesize

                    749B

                    MD5

                    83c3602434fd0273fe7d49f0559ed97b

                    SHA1

                    0f359f0a9d989b315d2a239bef17d3e8ed81eb73

                    SHA256

                    81de3de914075cd958d89df9dbfc569e84b5439037a584c22561134258ae0e39

                    SHA512

                    aa8c7e68fd797b11835973826d0887f7e3aa079f64d7cc725f06e3479c765d9d9dea537f13c9ed09a3e40fb22037413da8b62880b6cfb65e51b2e9c748fe5133

                  • C:\Users\Admin\AppData\Local\Temp\63a2e3ee-5d39-402c-abe1-de13680f406d.vbs

                    Filesize

                    526B

                    MD5

                    a310f0e7988cd8c7a4ecad3bd0a30f3c

                    SHA1

                    bc3a978c474b21c19851481946dcae4ff59c97ea

                    SHA256

                    84dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63

                    SHA512

                    a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4

                  • C:\Users\Admin\AppData\Local\Temp\7860a71e-2d6b-4df2-a91c-ba19937097f8.vbs

                    Filesize

                    750B

                    MD5

                    e2e573702ab62fbee69fd1a933ec31be

                    SHA1

                    4ea4ab50358a4317817947f2999378a4137d4bc0

                    SHA256

                    ad227783a4cd8dbef6d7dcbef6e83ab65d176cf6865f2e7a08a0c553a2376cb1

                    SHA512

                    ac11daf43de7f5e378ac306f216785bd502d72c77ce029dc10de2e4d3a2d3d34069895e49bfad3b17d0cef4cbc1967626e31b9fe5921f5b054f3d5791ed4f402

                  • C:\Users\Admin\AppData\Local\Temp\9e326810-9039-4469-93ea-3498edb60573.vbs

                    Filesize

                    750B

                    MD5

                    a464a6c512448e148490f6cd92df58f6

                    SHA1

                    aa3b8a406b14623c76dfeca3cae824a6bf79bc4e

                    SHA256

                    8b564f3fe57c3040664e026261aa782cc776ae57dfa84b98c1edfa5c83cc63d1

                    SHA512

                    46049ab71aa6f808eebcb0b42874a34af590fef45fecab342b58446cbdd666180ed3f68c8c4d8ebfbb66d2e2828342737e32ae8f221485ab6351750795b95a6b

                  • C:\Users\Admin\AppData\Local\Temp\aafa2234-5139-432f-9f58-76ad4a340968.vbs

                    Filesize

                    526B

                    MD5

                    a310f0e7988cd8c7a4ecad3bd0a30f3c

                    SHA1

                    bc3a978c474b21c19851481946dcae4ff59c97ea

                    SHA256

                    84dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63

                    SHA512

                    a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4

                  • C:\Users\Admin\AppData\Local\Temp\b56169be-2461-410c-b1a0-680a1499b4d5.vbs

                    Filesize

                    526B

                    MD5

                    a310f0e7988cd8c7a4ecad3bd0a30f3c

                    SHA1

                    bc3a978c474b21c19851481946dcae4ff59c97ea

                    SHA256

                    84dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63

                    SHA512

                    a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4

                  • C:\Users\Admin\AppData\Local\Temp\b56169be-2461-410c-b1a0-680a1499b4d5.vbs

                    Filesize

                    526B

                    MD5

                    a310f0e7988cd8c7a4ecad3bd0a30f3c

                    SHA1

                    bc3a978c474b21c19851481946dcae4ff59c97ea

                    SHA256

                    84dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63

                    SHA512

                    a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4

                  • C:\Users\Admin\AppData\Local\Temp\bd7233fd2d54a5b73203a099df96a8243a31c250.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Temp\bd7233fd2d54a5b73203a099df96a8243a31c250.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat

                    Filesize

                    239B

                    MD5

                    1dc3e13bc9b4b4d2c0c91c633d0cf964

                    SHA1

                    b985c1370d958339bb040987b8fa9fda97a2edc9

                    SHA256

                    53627f5a90e90a913621b9964dfb10d8a294235a9d4ad71d382b0e57e788289a

                    SHA512

                    a46f3be5bcd840a6adf026c09d9dc9e86610ef71e1b7deaf90b051698260a802b11233b789ca31d17036a1c1e16d569e8cc5ea74019e04ce6c916bdb7763d65a

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J92BH18EH3PAUOYHWNGD.temp

                    Filesize

                    7KB

                    MD5

                    c2b142655c2607eed6587ad985674f8e

                    SHA1

                    b69d903163fb9eaec73228d734422d225c935ddd

                    SHA256

                    62c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a

                    SHA512

                    aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1

                  • memory/1720-269-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1720-270-0x0000000002870000-0x00000000028F0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1720-274-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1720-276-0x0000000002870000-0x00000000028F0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1720-277-0x0000000002870000-0x00000000028F0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1720-278-0x000000000287B000-0x00000000028E2000-memory.dmp

                    Filesize

                    412KB

                  • memory/2264-22-0x0000000000680000-0x0000000000688000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-2-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-144-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-157-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-158-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-183-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-184-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-118-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-106-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-93-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-68-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-1-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2264-224-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2264-12-0x0000000000470000-0x000000000047C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2264-143-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2264-49-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-44-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-33-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-24-0x00000000008B0000-0x00000000008BC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2264-23-0x0000000000690000-0x000000000069A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2264-0-0x0000000000D20000-0x0000000000E8C000-memory.dmp

                    Filesize

                    1.4MB

                  • memory/2264-21-0x0000000000670000-0x000000000067C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2264-20-0x000000001B1F0000-0x000000001B270000-memory.dmp

                    Filesize

                    512KB

                  • memory/2264-13-0x0000000000480000-0x0000000000488000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-3-0x00000000002B0000-0x00000000002BE000-memory.dmp

                    Filesize

                    56KB

                  • memory/2264-4-0x00000000002C0000-0x00000000002C8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-19-0x0000000000660000-0x000000000066E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2264-5-0x00000000004A0000-0x00000000004BC000-memory.dmp

                    Filesize

                    112KB

                  • memory/2264-18-0x0000000000650000-0x0000000000658000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-6-0x0000000000450000-0x0000000000458000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-7-0x00000000004C0000-0x00000000004D0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2264-8-0x00000000004D0000-0x00000000004E6000-memory.dmp

                    Filesize

                    88KB

                  • memory/2264-17-0x0000000000640000-0x000000000064E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2264-16-0x0000000000630000-0x000000000063A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2264-15-0x0000000000510000-0x0000000000518000-memory.dmp

                    Filesize

                    32KB

                  • memory/2264-11-0x0000000000460000-0x000000000046C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2264-14-0x0000000000490000-0x000000000049C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2264-10-0x0000000000500000-0x000000000050A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2264-9-0x00000000004F0000-0x0000000000500000-memory.dmp

                    Filesize

                    64KB

                  • memory/2300-287-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2348-280-0x0000000002920000-0x00000000029A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2348-283-0x000000000292B000-0x0000000002992000-memory.dmp

                    Filesize

                    412KB

                  • memory/2348-279-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2348-223-0x0000000002920000-0x00000000029A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2348-225-0x0000000002310000-0x0000000002318000-memory.dmp

                    Filesize

                    32KB

                  • memory/2468-285-0x00000000029D0000-0x0000000002A50000-memory.dmp

                    Filesize

                    512KB

                  • memory/2468-286-0x00000000029DB000-0x0000000002A42000-memory.dmp

                    Filesize

                    412KB

                  • memory/2468-284-0x00000000029D0000-0x0000000002A50000-memory.dmp

                    Filesize

                    512KB

                  • memory/2468-282-0x00000000029D0000-0x0000000002A50000-memory.dmp

                    Filesize

                    512KB

                  • memory/2468-281-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2584-275-0x00000000026F4000-0x00000000026F7000-memory.dmp

                    Filesize

                    12KB

                  • memory/2584-272-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2584-267-0x00000000026FB000-0x0000000002762000-memory.dmp

                    Filesize

                    412KB

                  • memory/2644-273-0x0000000002970000-0x00000000029F0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2644-271-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2644-268-0x000000000297B000-0x00000000029E2000-memory.dmp

                    Filesize

                    412KB

                  • memory/2644-266-0x0000000002974000-0x0000000002977000-memory.dmp

                    Filesize

                    12KB

                  • memory/2644-221-0x000000001B370000-0x000000001B652000-memory.dmp

                    Filesize

                    2.9MB