Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2024, 14:48

General

  • Target

    1994f3ef2118aeecbb74e6c8976fd47b.exe

  • Size

    3.2MB

  • MD5

    1994f3ef2118aeecbb74e6c8976fd47b

  • SHA1

    8f157fc5c2af51db24b66085f29d3c1240be36b2

  • SHA256

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

  • SHA512

    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

  • SSDEEP

    49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
  • DCRat payload 17 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe
    "C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2120
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:804
        • C:\Users\Public\Music\csrss.exe
          "C:\Users\Public\Music\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2800
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f7b6709-ed26-4a1c-82fb-31a4d65289cd.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Users\Public\Music\csrss.exe
              C:\Users\Public\Music\csrss.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1044
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f93f14-0adf-4493-91f4-352bef19b4fb.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1976
                • C:\Users\Public\Music\csrss.exe
                  C:\Users\Public\Music\csrss.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1688
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bd31eb5-9fa2-4257-9bc5-a43ac41aa03d.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2964
                    • C:\Users\Public\Music\csrss.exe
                      C:\Users\Public\Music\csrss.exe
                      9⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2256
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46503802-e186-47cb-b1ef-d2b7be6c7a60.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2656
                        • C:\Users\Public\Music\csrss.exe
                          C:\Users\Public\Music\csrss.exe
                          11⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2320
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a027564c-375f-47d9-8b00-9f9c930d55ae.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1036
                            • C:\Users\Public\Music\csrss.exe
                              C:\Users\Public\Music\csrss.exe
                              13⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2372
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a856c6-2426-45fb-a758-2d17efdc7c79.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2724
                                • C:\Users\Public\Music\csrss.exe
                                  C:\Users\Public\Music\csrss.exe
                                  15⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:2960
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0171763c-71c2-4e3c-8c68-093b64761c5f.vbs"
                                    16⤵
                                      PID:2260
                                      • C:\Users\Public\Music\csrss.exe
                                        C:\Users\Public\Music\csrss.exe
                                        17⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:2632
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80e37603-dece-4592-a79d-475ca6a1ae73.vbs"
                                          18⤵
                                            PID:2908
                                            • C:\Users\Public\Music\csrss.exe
                                              C:\Users\Public\Music\csrss.exe
                                              19⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:996
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23991465-76a0-4f90-82fe-d5aa0fb580a7.vbs"
                                                20⤵
                                                  PID:744
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e766a6-9da2-4f8b-abcf-8d2e1fc4092d.vbs"
                                                  20⤵
                                                    PID:2012
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2792d07b-8e07-4cbe-bce6-91338e48614f.vbs"
                                                18⤵
                                                  PID:1968
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac781cb-cd6e-495a-a362-6483b6795880.vbs"
                                              16⤵
                                                PID:2648
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ad29b9-73a0-4134-9736-caa93061f2f8.vbs"
                                            14⤵
                                              PID:2436
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4f1e69-41b0-4020-ab97-312ff552da46.vbs"
                                          12⤵
                                            PID:456
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73302e4f-4598-4b6f-afd2-37618fcf315f.vbs"
                                        10⤵
                                          PID:2132
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e17cf7-0f94-448a-98f0-ea331aace60f.vbs"
                                      8⤵
                                        PID:736
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56f833e-79da-4031-8d9b-47913df4d2c5.vbs"
                                    6⤵
                                      PID:2880
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf1188b-9d65-4488-a04a-28dbf6e1dd92.vbs"
                                  4⤵
                                    PID:2116
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2484
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2968
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2164
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:524
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2392
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2592
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:672
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1144
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2808
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2856
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2972
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2108
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2744
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2512
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2400

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

                                    Filesize

                                    2.3MB

                                    MD5

                                    5d977af1de7ac5402715dddff81a12a2

                                    SHA1

                                    fdfc50ac5ce39020ed56fdb4e5672fda15c1b91d

                                    SHA256

                                    3d898781eaca52631a9d69d2b89aeaf635c80a7dc5bbefb73f33ce8807225cdf

                                    SHA512

                                    cf3cfab3392d8f3c8bd99d56046463d5e39420c81e5c5a757de39368625e98a115ef0e37717a7ce1b4935f7c3683e5ac3c2c2e5a45ea6d5b52328d31a0910fdc

                                  • C:\Users\Admin\AppData\Local\Temp\0171763c-71c2-4e3c-8c68-093b64761c5f.vbs

                                    Filesize

                                    707B

                                    MD5

                                    69b47ad32b17a5aa3f8cbf97a783f793

                                    SHA1

                                    e9c9a241db674722f3fce428c363a4fef410ff67

                                    SHA256

                                    d383ea5769393921e31a79e7ce62d867936e28bd7d65f3ae994e877fef85ff41

                                    SHA512

                                    e21e41a7e68f3aa1dc9e4eb515486fbe456a3fae5c04b233737140fb4b214547ed7893bf5fb82c5e2ede47b0ce0848269b3dceb331b3be1ea869e27a34fab1f6

                                  • C:\Users\Admin\AppData\Local\Temp\1f7b6709-ed26-4a1c-82fb-31a4d65289cd.vbs

                                    Filesize

                                    707B

                                    MD5

                                    623875a708dcf5c24ed8fd9c58684441

                                    SHA1

                                    26248abf0c60d2f05089599ea8f5b3e15b3578c4

                                    SHA256

                                    544a80a97015e77ec4d5881ff5bb960724c40779e13c91b7e69b2edb5220bcaa

                                    SHA512

                                    6500d9a9b0d36f95742a4cd3d5c296aa324ee7c1e2c8964760350d4a066816b7e3e1cc85c46b654f77a01bfd6c0b65ebb3d9e8354b94a2e15f6b5d720ace03ea

                                  • C:\Users\Admin\AppData\Local\Temp\23991465-76a0-4f90-82fe-d5aa0fb580a7.vbs

                                    Filesize

                                    706B

                                    MD5

                                    360c1ebda4c34c06a42a9aa66954e23d

                                    SHA1

                                    e18ef1ad5e07c502939849aa7fb023b0028a53d9

                                    SHA256

                                    bd117e88922596178bd06dbfcc1a4cc66057241cbc49aa7c213a05a39298fb5b

                                    SHA512

                                    e4faa57ed974f0bc685f531765793cf87931b3bd2fe787d2959f549a63f1ac1f2ec6b4c7b258f47993ece4be24efcb082eddab72429e822519f41fc9f4e10e34

                                  • C:\Users\Admin\AppData\Local\Temp\2bd31eb5-9fa2-4257-9bc5-a43ac41aa03d.vbs

                                    Filesize

                                    707B

                                    MD5

                                    2a10cdc0b10eaeeb3502e3e730007357

                                    SHA1

                                    73e930897e56fd3eb5ea961720e7851a1dc8f267

                                    SHA256

                                    e986806f15dbaeebed827e8e9d7d79ad764361e9054e65f1f4116bfcce537c5a

                                    SHA512

                                    822658a479851ff2b5b61cf0357dbe5684f04b197e987d58caa3a9865a53770d1780b936b955a912225340c512aea6f06cdd8a482bfd718cc103406c07e4a4ea

                                  • C:\Users\Admin\AppData\Local\Temp\410f85fb548d2c984bd2c897e2942f934bd742ef.exe

                                    Filesize

                                    1.1MB

                                    MD5

                                    48051776708f84a234f036308f2d5192

                                    SHA1

                                    6a716f8fbc5d7e03af0c31ccfb994394cf03f3ec

                                    SHA256

                                    85ed7fc997cd5b4d8c71e7ec57f2dbfba233ae06f697bbd89da7d9a8710928fc

                                    SHA512

                                    17f097d9db5aa390552f1635e06c7149f49d9dc0a01177a407c4125e7c0613d281a5572e27a51374c4d76bcf1645875b1e8fba49f3ec3e585fd9b9bf2c2be2da

                                  • C:\Users\Admin\AppData\Local\Temp\46503802-e186-47cb-b1ef-d2b7be6c7a60.vbs

                                    Filesize

                                    707B

                                    MD5

                                    252c61d41fa398c095873e09756ba283

                                    SHA1

                                    83826fe5e96e4efddc9692a21c114ee945b30068

                                    SHA256

                                    4b7b601e1db568b8bbca0d961187e37be34094335f7ccb199de9edb0cf12c17c

                                    SHA512

                                    571b2d7d73ca7986c1109cfd845604035ee170ca90404b5aea5f1ee9b48e5f082d4f51cfbfa4e4ba7d42d670de8c75c69d004b8688075887d10b4fce59b3b507

                                  • C:\Users\Admin\AppData\Local\Temp\80e37603-dece-4592-a79d-475ca6a1ae73.vbs

                                    Filesize

                                    707B

                                    MD5

                                    a21ea52236846f21a9b6e74fa734273c

                                    SHA1

                                    fbc01a5eea85183d0d364b3183fe27f0a623ec65

                                    SHA256

                                    7104d42f6340760c8f4fd9fd6c9cfa95c7fcea42e0b0afbf9d288e84fbf230b7

                                    SHA512

                                    e79684ea4c0863c4a9a0eca363ea4f1613feaa894cc9c56c575cd2db55faaa047109651d2dcf291e86c487857ff07c36d74d4ce3178e04c2d3d258899f65febb

                                  • C:\Users\Admin\AppData\Local\Temp\91f93f14-0adf-4493-91f4-352bef19b4fb.vbs

                                    Filesize

                                    707B

                                    MD5

                                    e55465e1f5470fa61a104860cd89cc75

                                    SHA1

                                    f15aa444e529c3df491fea67e29427acd4ce30c0

                                    SHA256

                                    59c4ddb711a3a7af2511b6514b2af8366b5dec07b8822cc74032bee913ff6938

                                    SHA512

                                    9305dcd66fb029920338a0d3fb1cb48178d2d39a7b3f79c0f1ddaeb7b033465b6b88a2a30964bee98ba94a236f6d5bb07949748a6fa5fd9785f29720fc4e4309

                                  • C:\Users\Admin\AppData\Local\Temp\a027564c-375f-47d9-8b00-9f9c930d55ae.vbs

                                    Filesize

                                    707B

                                    MD5

                                    d221fe1e201163ddab222a64cbb41c6d

                                    SHA1

                                    07f9e9cabd4261e8ac397aa88b04500efcb8229a

                                    SHA256

                                    3fe736fde458ca914507633c3915889da9c1c48e8454f690f91c5254754331fb

                                    SHA512

                                    653802b8148583be20ccc8bd23e737bf5a0f03df640862452672cf0b6b5272e2c60c9627e8b762051b4b96e88aae81dc157082a53ab74d220477bc73a6c11e43

                                  • C:\Users\Admin\AppData\Local\Temp\a1a856c6-2426-45fb-a758-2d17efdc7c79.vbs

                                    Filesize

                                    707B

                                    MD5

                                    40deae23d3a781cb3a37dfa5cb77cc4f

                                    SHA1

                                    247bb1e999fc29cd7b3e87b8ce468bc269ca8e69

                                    SHA256

                                    e6ae65cfe41b3484441edfb26e103f22b6fa811776e3212f1519df5c526fc82a

                                    SHA512

                                    79b731a0a81cad04caa924e3a523c9e08c846688d9b746d8e9f52dff453a6f609a69787135d5819f9ca9d1abc706d3afad441a9be6b1a710dd5739f14823d1ee

                                  • C:\Users\Admin\AppData\Local\Temp\aaf1188b-9d65-4488-a04a-28dbf6e1dd92.vbs

                                    Filesize

                                    483B

                                    MD5

                                    fe7b711db3375c6e3eed72e9f3ca29be

                                    SHA1

                                    838103eddd28d21e63bc3223e5336c94b5033d18

                                    SHA256

                                    811349c704937e7c61d8d5e65f317bfbdddca076e7d2af53892842f5835d3a93

                                    SHA512

                                    27d693c92815adf074c863a077d76627d49b0e800f050e754c7af1d65fa806d05f02536cde17b49deeaaf07578b626225aa0ba94ed04daad5c124b0ccc72a308

                                  • C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat

                                    Filesize

                                    196B

                                    MD5

                                    9fce52b43bcdf310b33d5436bb5d8254

                                    SHA1

                                    9934249c831584580ff07726c741ccd289fe9137

                                    SHA256

                                    b9af96e59f43bb912485ed1ce79ac44ffaeb8d29398e29b0c8cac91d828dd835

                                    SHA512

                                    3e1e940c964745c1c034245d3f0e8be6f79734f9831c215cea2b70e6c474119208a1618d32428ed0215cb57fcb9142b75242a493b160625a83308fd2abb6133d

                                  • C:\Users\Public\Music\csrss.exe

                                    Filesize

                                    2.5MB

                                    MD5

                                    bddd5acbddb8b9715cb56d46233233e7

                                    SHA1

                                    94ffc545aaf1016278c404e8bec4185139c521c5

                                    SHA256

                                    3d7bc27bf8322a5eecf47af5457c346cbb4a8d7e141c0805f49aab1db2aee0dc

                                    SHA512

                                    0b568545a946f30c7186d7958acfe4da7ed58f151d3ba457aadc1db0bcb9452201f25f1f56cfae9895f2e27ed2cfb92a0178e841928dfb7e715a3ce33c95c86c

                                  • C:\Users\Public\Music\csrss.exe

                                    Filesize

                                    3.2MB

                                    MD5

                                    1994f3ef2118aeecbb74e6c8976fd47b

                                    SHA1

                                    8f157fc5c2af51db24b66085f29d3c1240be36b2

                                    SHA256

                                    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

                                    SHA512

                                    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

                                  • C:\Users\Public\Music\csrss.exe

                                    Filesize

                                    1.3MB

                                    MD5

                                    5ebd26f7b539d06ee26e4335bdad1bac

                                    SHA1

                                    f8013bd49ea6c345395c56f4c373e39fe5b1d2eb

                                    SHA256

                                    7314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b

                                    SHA512

                                    c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73

                                  • C:\Users\Public\Music\csrss.exe

                                    Filesize

                                    2.1MB

                                    MD5

                                    ac56c130b3cd505aa904cb664c9e02c2

                                    SHA1

                                    827416a2efd8ffc642c68c590def694f371ab7a5

                                    SHA256

                                    11727dce2e76fddb955ceff8a25e9ac33b1cb561ebfe03ef4fb3eff3668e0d78

                                    SHA512

                                    2966efd688cb2870659cabbf5b6e9e89c0d4fee032a68e9f7d5c6ca662e03d6e92a40a484824ac69a66a8a198955218c8d93cdeb65536b2ce51a3601595b497e

                                  • C:\Users\Public\Music\csrss.exe

                                    Filesize

                                    960KB

                                    MD5

                                    fc95f901144b526106036caf9f1d1ded

                                    SHA1

                                    2ea1694dfd32b9cee3ef3adfe9516d4cc3a3c187

                                    SHA256

                                    bba41fcf986afd98eb026246769343704af4bea6628c48920458d93b7fd8d1b3

                                    SHA512

                                    d5595d34c0f3935c99d4db44fe9757ff6e08505fd3c684732490249471282ba89ce2038dde4226fb4b99af28f1da63601f950e8a75a1564329979097c272dfcf

                                  • memory/1044-67-0x00000000009B0000-0x0000000000CE0000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/1044-68-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1044-69-0x000000001AF40000-0x000000001AFC0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/1044-70-0x00000000021F0000-0x0000000002246000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/1044-81-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1688-83-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1688-96-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1688-85-0x000000001B470000-0x000000001B4F0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/1688-84-0x0000000000CB0000-0x0000000000FE0000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2120-15-0x000000001AA60000-0x000000001AAB6000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/2120-19-0x0000000000C80000-0x0000000000C88000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-29-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-30-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2120-31-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-32-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-33-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2120-34-0x000000001B000000-0x000000001B00C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-28-0x000000001AAE0000-0x000000001AAEE000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2120-26-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-50-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2120-25-0x000000001AAC0000-0x000000001AACC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-24-0x000000001AAB0000-0x000000001AABC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-23-0x00000000011E0000-0x00000000011E8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-22-0x00000000011D0000-0x00000000011DC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-21-0x0000000000D20000-0x0000000000D2C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-20-0x0000000000D10000-0x0000000000D22000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2120-27-0x000000001AAD0000-0x000000001AADA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2120-18-0x0000000000C70000-0x0000000000C7C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-17-0x0000000000C60000-0x0000000000C68000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-16-0x0000000000C50000-0x0000000000C5C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-14-0x0000000000C40000-0x0000000000C4A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2120-13-0x0000000000C30000-0x0000000000C40000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2120-12-0x0000000000C20000-0x0000000000C28000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-11-0x00000000006C0000-0x00000000006CC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2120-10-0x0000000000C10000-0x0000000000C22000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2120-9-0x00000000006B0000-0x00000000006B8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-8-0x0000000000690000-0x00000000006A6000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/2120-7-0x0000000000680000-0x0000000000690000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2120-6-0x0000000000180000-0x0000000000188000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-5-0x0000000000170000-0x0000000000178000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2120-4-0x0000000000160000-0x000000000016E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2120-3-0x0000000000140000-0x000000000014E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2120-0-0x00000000012F0000-0x0000000001620000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2120-2-0x000000001B020000-0x000000001B0A0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2120-1-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2256-99-0x00000000000F0000-0x0000000000420000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2256-100-0x000000001B120000-0x000000001B1A0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2256-101-0x0000000000C00000-0x0000000000C56000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/2256-113-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2256-98-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2256-102-0x0000000002290000-0x00000000022A2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2320-116-0x0000000001090000-0x00000000013C0000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2320-118-0x0000000000730000-0x0000000000742000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2320-119-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/2320-117-0x000000001B350000-0x000000001B3D0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2320-130-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2320-115-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2372-132-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2372-133-0x000000001B130000-0x000000001B1B0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2372-134-0x0000000000B80000-0x0000000000B92000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2800-65-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2800-55-0x000000001B1C0000-0x000000001B240000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2800-54-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2800-53-0x0000000000140000-0x0000000000470000-memory.dmp

                                    Filesize

                                    3.2MB