Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 23:06

General

  • Target

    7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

  • Size

    3.2MB

  • MD5

    5e11b7a6246841f5c8dc76aa757e0613

  • SHA1

    44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639

  • SHA256

    7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf

  • SHA512

    2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

  • SSDEEP

    49152:/C0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:/C0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eT93LUFj2H.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:604
        • C:\Windows\AppCompat\Programs\System.exe
          "C:\Windows\AppCompat\Programs\System.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1824
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5270945d-02bb-47fb-9147-e281ee513ae8.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\AppCompat\Programs\System.exe
              C:\Windows\AppCompat\Programs\System.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1304
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c61fc4-bda2-40b0-a6bf-f8fc282f5d6e.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2456
                • C:\Windows\AppCompat\Programs\System.exe
                  C:\Windows\AppCompat\Programs\System.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2084
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ccef053-b8de-4797-b100-69b52336df52.vbs"
                    8⤵
                      PID:2936
                      • C:\Windows\AppCompat\Programs\System.exe
                        C:\Windows\AppCompat\Programs\System.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:836
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6061930f-22c0-490c-82fa-fdfffdd4fd96.vbs"
                          10⤵
                            PID:560
                            • C:\Windows\AppCompat\Programs\System.exe
                              C:\Windows\AppCompat\Programs\System.exe
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:860
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab2fbe8-315f-45cd-9d6e-a209062f6039.vbs"
                                12⤵
                                  PID:2296
                                  • C:\Windows\AppCompat\Programs\System.exe
                                    C:\Windows\AppCompat\Programs\System.exe
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1304
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c727d1e-78ec-4ad6-86d3-c0169ef186dc.vbs"
                                      14⤵
                                        PID:2608
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd85e2e4-2529-40ca-97f2-63c28c2880fe.vbs"
                                        14⤵
                                          PID:2648
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ca0e27-a49d-462c-8b6c-46185301d45b.vbs"
                                      12⤵
                                        PID:2740
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735fb628-2ff2-4bc7-8c64-29fb716b1266.vbs"
                                    10⤵
                                      PID:1128
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7e0b3d7-3103-488e-b27b-b31642f82fda.vbs"
                                  8⤵
                                    PID:1540
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c57601-a554-4bc9-98f7-54b5dc5190b5.vbs"
                                6⤵
                                  PID:2260
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb43163-9a44-4807-b135-220d03952a2e.vbs"
                              4⤵
                                PID:1672
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2628
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2676
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2452
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2528
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2968
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2928
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2776
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2772
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2804
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2196
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1600
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1708
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2032
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1068
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf7" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1452
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf" /sc ONLOGON /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:560
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf7" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2696
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1660
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1652
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1552
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1084
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1336
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2076
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2052
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2300
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1244

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\1ab2fbe8-315f-45cd-9d6e-a209062f6039.vbs

                          Filesize

                          715B

                          MD5

                          77ce10cdb2c5a73029446691bd50c76a

                          SHA1

                          52818abfa70422c23c7035588ec4196b13b15f9d

                          SHA256

                          0e2885239037989d8436037d309caacc7eee0c5483e9f565287258dfde821979

                          SHA512

                          2043ba9c8229a418388d85385e412368d7a8fc8ac5ca04616438ecc6888ffdfbbd957ff31e28b48cdd612f0a3ad12f79aa86d1a6506aeb9ec90a84fbf38f4539

                        • C:\Users\Admin\AppData\Local\Temp\32c61fc4-bda2-40b0-a6bf-f8fc282f5d6e.vbs

                          Filesize

                          716B

                          MD5

                          f7de4559d09053790396c997cc9455be

                          SHA1

                          d838cd52e24da66b31edc5a40cb74e47b15bd758

                          SHA256

                          4d10216e0e10390238e11d92de7c6576dbab22294403950d200804a901beaf0e

                          SHA512

                          cdc696c94f2e08243b6b38d58c5500928c9920e73f22c43cea2a7495b239f995439ddf59bf4a9a01e4f690dfcab49c7ba12c3bb432e37d5cb618ca98a4d0e0d4

                        • C:\Users\Admin\AppData\Local\Temp\5270945d-02bb-47fb-9147-e281ee513ae8.vbs

                          Filesize

                          716B

                          MD5

                          0492d133866c556701c48c50e8be86ff

                          SHA1

                          d39bf2dce3dad2ac2772401940811fcd82b5467a

                          SHA256

                          c6441ec98c5ed1f783123ef2d610327c1c2a3e4de3b6b4fce4b381cd866d8ec1

                          SHA512

                          c71e32283b234a7fbbc030b36c8566ee9f2d02adc651c6c73494c5a3787a46f591b12a571737275e762b7875c6fa4c89a80b00ab2891d1e33f923a0917dca64a

                        • C:\Users\Admin\AppData\Local\Temp\6061930f-22c0-490c-82fa-fdfffdd4fd96.vbs

                          Filesize

                          715B

                          MD5

                          902111f841697271cf2db4ed4ac8910f

                          SHA1

                          d7d58b720f576178a9c2bf3814123f3364addd4c

                          SHA256

                          0ba9497559f358b1d00e258840bbf8148495b51ebc08c47635c368025876ce5c

                          SHA512

                          6a961e12caf8a5b823dc06c283c0173d6d655e7d3a4d067a63d0834a0fc1febb346acd6e1ac4f369d61d7d4f97385a3b22b3cf240792dd0126f50ed97cc41f23

                        • C:\Users\Admin\AppData\Local\Temp\6ccef053-b8de-4797-b100-69b52336df52.vbs

                          Filesize

                          716B

                          MD5

                          4990c9f1d9c347c7984c6b0f48333cd3

                          SHA1

                          eb7b65e6bddc5e3eac15e78b87d0242e335a2562

                          SHA256

                          6a9a6f6f14518b2b71eaf328ce00fe554bf64c1ba8b971334fa6f9f79590a73d

                          SHA512

                          d67e29953c4946f84f1024dcbad6eddc205f60001c2c3c2f681529c59ef82950543f6634b479982d8df3c2e4323c8c9597138ade34d4b496e21e14dc4d59c24c

                        • C:\Users\Admin\AppData\Local\Temp\beb43163-9a44-4807-b135-220d03952a2e.vbs

                          Filesize

                          492B

                          MD5

                          268741bfff166143c9da4593b7b987d4

                          SHA1

                          bf858ae021c630fa881c123d94fc67eba55d1597

                          SHA256

                          288a5b13c26f8e4217e1c06c15066ee54ed4e1b8789e5b78bdd7430975961e05

                          SHA512

                          8b0b97062fe385b18851ea57b97a95ddcedd932d3b59ca45b01862f71a649d13b6e80258af90ffc98ffebf847ed19a0949bb2dafa7f5a9fbc67e8a166c5e6efe

                        • C:\Users\Admin\AppData\Local\Temp\eT93LUFj2H.bat

                          Filesize

                          205B

                          MD5

                          d116a77bfb16306ea909e92dd2b1e6b4

                          SHA1

                          fe70a575670fee0a44126022d1090a18d76068dc

                          SHA256

                          d595d0b430bf4368aa0ace0b92864b11dbea3e21b519de52fc7adbb282f3f84e

                          SHA512

                          0236a7a42d86cac4cf8bae1a27e77e5233b21a696b2c2716942147f97fa78279a614679f5cc48671116d972dbc38e142f6f80c8ba41df629dca2883183b5b124

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                          Filesize

                          7KB

                          MD5

                          44ec6dac6e50baa7165670792cb46a44

                          SHA1

                          eeec40bf7e3826459d0de5336314eac5936699f8

                          SHA256

                          3771383e1164a3e75b6734edcc92714c9c7eed15f6410065d92fd31fce9daaca

                          SHA512

                          956e580d7df73610451e34e9352764dc1d475089c3838677e3b9362ccab5b4d32f290d541ad5f4b6c03846c287269b0a96ef188b8dca4defb8c4d539fd148d47

                        • C:\Users\Default\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

                          Filesize

                          3.2MB

                          MD5

                          f13864417a04a119f5a6f3c0ac00a819

                          SHA1

                          588711e6bc6bb30b4a15209b90d44ba49d21a10f

                          SHA256

                          7f90c7386cddf9c1dbd68ea560a26c8c5f5b270135a430fd9e275c3b17de2c7f

                          SHA512

                          bca7deaca806c54bdc63184b3abf3862f696d165176f9dcb17a221dcff03df32f755f57f6cfb0693e8545f84bb2296d2c076bcfc6e7ce394fa5b05e78ffe866f

                        • C:\Users\Default\Downloads\wininit.exe

                          Filesize

                          3.2MB

                          MD5

                          37e91c46e45e78e758a58e5ef1e89540

                          SHA1

                          022aae824ef061d0a980e97cc93617f0855d5a3b

                          SHA256

                          1f408117b8b53698ee386013f35689b5f52a74d5c5ce6cd59af93cc809f2032c

                          SHA512

                          b19b9c9d1f338ee4221572b2d467bac5d4f9f480b9d26993877bc0cc1a93d103182ec7516e7200f987e7b2c17de13e931eaf4da552b72975c3eedb8fa7081861

                        • C:\Users\Public\Videos\Sample Videos\lsm.exe

                          Filesize

                          3.2MB

                          MD5

                          5e11b7a6246841f5c8dc76aa757e0613

                          SHA1

                          44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639

                          SHA256

                          7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf

                          SHA512

                          2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

                        • C:\Windows\AppCompat\Programs\System.exe

                          Filesize

                          3.2MB

                          MD5

                          a504a8ed00d24fe8b8c4aa41f7ca2f43

                          SHA1

                          7ca846355ce174493125e4337c9c0ec0fbdd48e6

                          SHA256

                          3b14c6d89f54b79b7e1655d0f3cc0e482e1644fbddc38302b1be543f70d16931

                          SHA512

                          849a9c1e739023392de6ad881df4ca372e7024c3881d43df47e06e44a465f13fee77709e4cab35eec8f97c3a78f034e2987190a049b0b99c24c10c9f7c59a8f9

                        • memory/836-168-0x000000001B610000-0x000000001B8F2000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/860-266-0x00000000000A0000-0x00000000003DC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1304-278-0x00000000012E0000-0x000000000161C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1304-232-0x0000000000C30000-0x0000000000C86000-memory.dmp

                          Filesize

                          344KB

                        • memory/1304-231-0x0000000001360000-0x000000000169C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1304-279-0x0000000000D20000-0x0000000000D32000-memory.dmp

                          Filesize

                          72KB

                        • memory/1620-179-0x0000000001E60000-0x0000000001E68000-memory.dmp

                          Filesize

                          32KB

                        • memory/1824-219-0x0000000000960000-0x0000000000C9C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1824-220-0x00000000024F0000-0x0000000002502000-memory.dmp

                          Filesize

                          72KB

                        • memory/3000-18-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                          Filesize

                          72KB

                        • memory/3000-30-0x0000000002610000-0x000000000261A000-memory.dmp

                          Filesize

                          40KB

                        • memory/3000-26-0x00000000023F0000-0x00000000023F8000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-25-0x00000000023E0000-0x00000000023EE000-memory.dmp

                          Filesize

                          56KB

                        • memory/3000-24-0x00000000023D0000-0x00000000023DA000-memory.dmp

                          Filesize

                          40KB

                        • memory/3000-23-0x0000000002400000-0x0000000002408000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-20-0x00000000023A0000-0x00000000023AC000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-19-0x0000000002390000-0x000000000239C000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-17-0x0000000000750000-0x0000000000758000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-16-0x0000000000740000-0x000000000074C000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-15-0x0000000000730000-0x0000000000738000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-13-0x00000000006E0000-0x0000000000736000-memory.dmp

                          Filesize

                          344KB

                        • memory/3000-5-0x0000000000270000-0x0000000000278000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-28-0x00000000025F0000-0x00000000025FC000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-29-0x0000000002600000-0x0000000002608000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-31-0x0000000002620000-0x000000000262C000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-34-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/3000-27-0x0000000002450000-0x000000000245E000-memory.dmp

                          Filesize

                          56KB

                        • memory/3000-211-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/3000-22-0x00000000023C0000-0x00000000023CC000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-21-0x00000000023B0000-0x00000000023BC000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

                          Filesize

                          4KB

                        • memory/3000-14-0x00000000006B0000-0x00000000006BC000-memory.dmp

                          Filesize

                          48KB

                        • memory/3000-6-0x0000000000280000-0x000000000029C000-memory.dmp

                          Filesize

                          112KB

                        • memory/3000-7-0x00000000002A0000-0x00000000002A8000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-9-0x0000000000670000-0x0000000000686000-memory.dmp

                          Filesize

                          88KB

                        • memory/3000-10-0x0000000000690000-0x0000000000698000-memory.dmp

                          Filesize

                          32KB

                        • memory/3000-11-0x00000000006D0000-0x00000000006E0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3000-12-0x00000000006A0000-0x00000000006AA000-memory.dmp

                          Filesize

                          40KB

                        • memory/3000-8-0x0000000000660000-0x0000000000670000-memory.dmp

                          Filesize

                          64KB

                        • memory/3000-4-0x0000000000260000-0x000000000026E000-memory.dmp

                          Filesize

                          56KB

                        • memory/3000-3-0x0000000000250000-0x000000000025E000-memory.dmp

                          Filesize

                          56KB

                        • memory/3000-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/3000-1-0x00000000002B0000-0x00000000005EC000-memory.dmp

                          Filesize

                          3.2MB