Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 01:15

General

  • Target

    5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    5758f08ee8daacd956d144b547105710

  • SHA1

    eb9a247be053dc3ffc9986add72c3c95b9a1dcd1

  • SHA256

    fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c

  • SHA512

    2cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24

  • SSDEEP

    49152:LbX4Wu2bK/B8fKsJOfivj+8TeCUN0LhZxs2AbBT7VWernS5D+oCPgpifYulI2a:/4W9K/KTag9BUNWS7JnS5qoBifHva

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\ModemLogs\System.exe
      "C:\Windows\ModemLogs\System.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1620
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\340a0a56-b735-4c5d-b379-8db6c9fdba90.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\ModemLogs\System.exe
          C:\Windows\ModemLogs\System.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1712
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\506c1e97-20ce-4a81-be97-8dfcc95d232e.vbs"
        3⤵
          PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Windows Defender\smss.exe

      Filesize

      3.1MB

      MD5

      5758f08ee8daacd956d144b547105710

      SHA1

      eb9a247be053dc3ffc9986add72c3c95b9a1dcd1

      SHA256

      fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c

      SHA512

      2cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24

    • C:\Users\Admin\AppData\Local\Temp\340a0a56-b735-4c5d-b379-8db6c9fdba90.vbs

      Filesize

      707B

      MD5

      c488c2273ca32e8270ff525e2af93b7a

      SHA1

      d84a2ffeee6ab16794777edfab95b8b32dabd89e

      SHA256

      67413a746cea8d534dde0f8061f3b343cd861203a098da82cacb1527994cab69

      SHA512

      68634a738c5d92f10ad63e35824b47e04caecd57dd9227edd9fe0e2710a2f86e456383f00b16fe5b1dc86f00dc3752fd69025784c0d35c30d683fcfb47eab773

    • C:\Users\Admin\AppData\Local\Temp\Cab86FD.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar871F.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      18c548fe8639b71ede6b439e9e5efd6b

      SHA1

      0ce5be64c0e5cb90354d9388eafc89b0ddcfea52

      SHA256

      23dc834e172defa19253b1d7b5f4e1393d5e5306df2409ea9438ecf14a24b8e2

      SHA512

      48c10a288de4303a455290709b75ce8cea046d9bb787b8b68e85e168a0d25e3373f761506b6d394ad4454a0c352c15be715e9f0851357205990ef9a25e0b1185

    • C:\Windows\ModemLogs\System.exe

      Filesize

      3.1MB

      MD5

      104e7e067afb7f5685b9cf68c96cea34

      SHA1

      4884afc31acc1ec73553f397fda159b1ec4ee459

      SHA256

      3ae5584ada9307d62a457833cb148b6eff67ec80ade17d9cb2d2c30a891e5751

      SHA512

      c3cc37e6115740219cc4e10d5beef4664ded8e3df620d523fe9205d2dc30acf794f85259791cd033ca635ce89afc974f29f8030c2ef82b6ec7bb317f5d5f7895

    • C:\Windows\PCHEALTH\ERRORREP\RCX49C6.tmp

      Filesize

      3.1MB

      MD5

      66fba1d1be32d45520cc5a9771c17372

      SHA1

      3ba9307a4d52961f66e3d8587d632960a2325249

      SHA256

      b1c8559283f385a523772a5ef5fc147cb5c66636fdb604f09096e8d2b7c61805

      SHA512

      ab00ac8cc6e83c09bc3a87b7aa1faa59f24761c00fd9e5d00efdb162e0d28c70eecb6adcd4b9e1876004bf7f4a60023dabcaa6b19ad3dd8ef0d59d5de94a8d77

    • memory/1620-222-0x00000000009E0000-0x0000000000D00000-memory.dmp

      Filesize

      3.1MB

    • memory/1712-339-0x0000000000190000-0x00000000004B0000-memory.dmp

      Filesize

      3.1MB

    • memory/2552-172-0x0000000002910000-0x0000000002918000-memory.dmp

      Filesize

      32KB

    • memory/2552-163-0x000000001B500000-0x000000001B7E2000-memory.dmp

      Filesize

      2.9MB

    • memory/3016-7-0x00000000005C0000-0x00000000005C8000-memory.dmp

      Filesize

      32KB

    • memory/3016-28-0x0000000002610000-0x000000000261C000-memory.dmp

      Filesize

      48KB

    • memory/3016-13-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB

    • memory/3016-15-0x0000000000640000-0x000000000064C000-memory.dmp

      Filesize

      48KB

    • memory/3016-14-0x0000000000610000-0x0000000000618000-memory.dmp

      Filesize

      32KB

    • memory/3016-16-0x0000000000650000-0x0000000000662000-memory.dmp

      Filesize

      72KB

    • memory/3016-18-0x0000000000670000-0x000000000067C000-memory.dmp

      Filesize

      48KB

    • memory/3016-17-0x0000000000660000-0x000000000066C000-memory.dmp

      Filesize

      48KB

    • memory/3016-19-0x0000000000A20000-0x0000000000A28000-memory.dmp

      Filesize

      32KB

    • memory/3016-20-0x0000000000A30000-0x0000000000A3C000-memory.dmp

      Filesize

      48KB

    • memory/3016-21-0x0000000002340000-0x000000000234C000-memory.dmp

      Filesize

      48KB

    • memory/3016-22-0x0000000002350000-0x0000000002358000-memory.dmp

      Filesize

      32KB

    • memory/3016-23-0x0000000002540000-0x000000000254C000-memory.dmp

      Filesize

      48KB

    • memory/3016-24-0x00000000025D0000-0x00000000025DA000-memory.dmp

      Filesize

      40KB

    • memory/3016-25-0x00000000025E0000-0x00000000025EE000-memory.dmp

      Filesize

      56KB

    • memory/3016-26-0x00000000025F0000-0x00000000025F8000-memory.dmp

      Filesize

      32KB

    • memory/3016-27-0x0000000002600000-0x000000000260E000-memory.dmp

      Filesize

      56KB

    • memory/3016-12-0x00000000024F0000-0x0000000002546000-memory.dmp

      Filesize

      344KB

    • memory/3016-29-0x0000000002620000-0x0000000002628000-memory.dmp

      Filesize

      32KB

    • memory/3016-30-0x0000000002630000-0x000000000263A000-memory.dmp

      Filesize

      40KB

    • memory/3016-31-0x0000000002640000-0x000000000264C000-memory.dmp

      Filesize

      48KB

    • memory/3016-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

      Filesize

      4KB

    • memory/3016-8-0x00000000005D0000-0x00000000005E0000-memory.dmp

      Filesize

      64KB

    • memory/3016-9-0x00000000005E0000-0x00000000005F6000-memory.dmp

      Filesize

      88KB

    • memory/3016-11-0x0000000000620000-0x000000000062A000-memory.dmp

      Filesize

      40KB

    • memory/3016-10-0x0000000000600000-0x0000000000608000-memory.dmp

      Filesize

      32KB

    • memory/3016-6-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB

    • memory/3016-5-0x0000000000420000-0x000000000043C000-memory.dmp

      Filesize

      112KB

    • memory/3016-223-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB

    • memory/3016-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

      Filesize

      56KB

    • memory/3016-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

      Filesize

      56KB

    • memory/3016-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB

    • memory/3016-1-0x0000000000A40000-0x0000000000D60000-memory.dmp

      Filesize

      3.1MB