Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 11:17

General

  • Target

    dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    dc4a687b17405db35530af6aa40cd2b0

  • SHA1

    acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88

  • SHA256

    3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44

  • SHA512

    620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C6ojzqIZqD.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:572
        • C:\Program Files (x86)\Common Files\csrss.exe
          "C:\Program Files (x86)\Common Files\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:748
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6f3677-dbcc-4b3c-a7be-3a88cfb5c71d.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Program Files (x86)\Common Files\csrss.exe
              "C:\Program Files (x86)\Common Files\csrss.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2572
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2806871b-da50-4591-8606-0f40d0514b19.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2984
                • C:\Program Files (x86)\Common Files\csrss.exe
                  "C:\Program Files (x86)\Common Files\csrss.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2344
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea2db112-e23a-4cfd-8dc5-ef0f6d680cf3.vbs"
                    8⤵
                      PID:1496
                      • C:\Program Files (x86)\Common Files\csrss.exe
                        "C:\Program Files (x86)\Common Files\csrss.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1508
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80cac005-5464-42b3-b6f7-ccbdff9ac61b.vbs"
                          10⤵
                            PID:2364
                            • C:\Program Files (x86)\Common Files\csrss.exe
                              "C:\Program Files (x86)\Common Files\csrss.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1144
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082872b8-b9c9-47a1-8c4a-4c00cc176239.vbs"
                                12⤵
                                  PID:1984
                                  • C:\Program Files (x86)\Common Files\csrss.exe
                                    "C:\Program Files (x86)\Common Files\csrss.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2836
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b23422f-d73b-43d3-9f6a-dca94ed7879f.vbs"
                                      14⤵
                                        PID:2108
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45959d14-2b03-4732-9893-d5a2da94bc29.vbs"
                                        14⤵
                                          PID:2240
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55417941-8078-47bf-abab-99b63f05c350.vbs"
                                      12⤵
                                        PID:1740
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4c0b3-9bfd-42d3-bb6a-6770e6ebd2a6.vbs"
                                    10⤵
                                      PID:1236
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f5c2e7-8ca2-4962-8867-f7ee5a4881e3.vbs"
                                  8⤵
                                    PID:2892
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f99d70-9aba-4b1e-b817-b45033e35577.vbs"
                                6⤵
                                  PID:1624
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7010f0-a0bf-46bb-9996-bde873b688d7.vbs"
                              4⤵
                                PID:1608
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2744
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2436
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2528
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2956
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2120
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1756
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2700
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2640
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2804
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1752
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:468
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1776
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2244
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2116
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1216
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1192
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:616
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2384
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:840
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1236
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1684
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2848
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2180
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1612
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1884
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1616
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:380
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2420
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1412
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:640

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files (x86)\Common Files\csrss.exe

                          Filesize

                          3.2MB

                          MD5

                          8619675d9facaebcdb15ac1ca117b1a9

                          SHA1

                          3c0548be4af55784db8a1eff6137e05098cf11af

                          SHA256

                          80046fb86243ebcbc22711ab5ef87b0155c21be7c48c4d6dd85b76d7961df4d3

                          SHA512

                          56ec4ca27854e0ac7743584cfcdd31dc9f41e2d0b726d31746d8f682f66531f0049c9fed7329492978498ab5c8a25229b79a4e2a29fcae5d14dcaaad4d5d936d

                        • C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe

                          Filesize

                          3.2MB

                          MD5

                          dc4a687b17405db35530af6aa40cd2b0

                          SHA1

                          acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88

                          SHA256

                          3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44

                          SHA512

                          620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487

                        • C:\ProgramData\Microsoft\Windows\Templates\audiodg.exe

                          Filesize

                          3.2MB

                          MD5

                          846567f7be74008c7943ac705f408edf

                          SHA1

                          684c2d7abe5cc500d658216fa2007a1deb06543b

                          SHA256

                          8e758eddac1ab550835c9388cea160de727f8aa185e642717e5fe96dfd6aadbd

                          SHA512

                          694de66c3e0909496ac512c57e02352073174c8939a16fe85e44392e857a972138c17ee014704cf5fc25d060027518a90ab550daa9aa6846f777bdc45fadbc5d

                        • C:\ProgramData\Microsoft\csrss.exe

                          Filesize

                          3.2MB

                          MD5

                          7515fec42a8153473337c1507e8273d7

                          SHA1

                          0e0f88724607103c79837382edc842ac21f520f7

                          SHA256

                          f1c3aec53ff4ea63a13f4ff740231e0cc8c849633b52a382d9f5e16cc2f4a8c7

                          SHA512

                          7f42221192ea5b9ac8ba0b2fe7232a3c9c7ad727728a038d79bc488097854cca8433724cd3e96bf29db8d84810af5f7291c10229d5277d1994ae65b45e532f06

                        • C:\Users\Admin\AppData\Local\Temp\082872b8-b9c9-47a1-8c4a-4c00cc176239.vbs

                          Filesize

                          721B

                          MD5

                          8003664e5b32a5cafe0c7d8b699c9351

                          SHA1

                          acbe1bb6dd686166c1c6d0f0a84ddcaee0b658a2

                          SHA256

                          b0535ad65a2da1f04d0a40095ba2a08bf02db8a209f8c03fefc02cf1be7a2e99

                          SHA512

                          4d7aa6851701fd267e67a523532c9e702112f0e0b9a474869d89ab94833b9a68cd80a2515b54b93ba56b03137947c20549cadb0a727c2b18c604cc056710b9cb

                        • C:\Users\Admin\AppData\Local\Temp\2806871b-da50-4591-8606-0f40d0514b19.vbs

                          Filesize

                          721B

                          MD5

                          b00d712201b9ecc070af45733defdf27

                          SHA1

                          d42f7a8090553b29f0ccdafa1a181672d7170007

                          SHA256

                          0444c3c8977c837ff64b352550dddbe8643b9a5a388455fb01e9b63dd9e456c1

                          SHA512

                          17b46f81c443b9fd2b753e4db8f17b33dc0128ff16365ae13b0df45bd0701a5922b6330d77630d772734d3a4a102a194d4872976c2c873d1796dd41d9ab30e34

                        • C:\Users\Admin\AppData\Local\Temp\3b23422f-d73b-43d3-9f6a-dca94ed7879f.vbs

                          Filesize

                          721B

                          MD5

                          b33c089fb1d7cf43c98cc9660bd32d2a

                          SHA1

                          d4a91d2f25fa76cb8369d529a410666de8357521

                          SHA256

                          536ac86e434e703e239571061c6252d84940965ca07285a53d1960894166efc0

                          SHA512

                          9734334017fd38b8f1db341ecaba2a2ce9247ff7d0727f167a31b2cf43ad66fe5662b80ff2916eb72f58d0a52d2d72ab5acbd3e478b91a0a9f8a38535dab2b11

                        • C:\Users\Admin\AppData\Local\Temp\5a7010f0-a0bf-46bb-9996-bde873b688d7.vbs

                          Filesize

                          497B

                          MD5

                          52b7a4e80fd6da781c2da3d84544d252

                          SHA1

                          ea871d5e58ca2494fddb770c5076ad67bb36ae9c

                          SHA256

                          e3d63a11320cccebee50c08c6276351207da6248ca19918c201bca4058c892a3

                          SHA512

                          f7e684e01d72024f3a62edfcea2182d26dffab9414473213059910fecd19bc11b513b343b0a6dddf011b17f1a6c5efa96d0dc67ffc153758d94ce8c179b2425d

                        • C:\Users\Admin\AppData\Local\Temp\6a6f3677-dbcc-4b3c-a7be-3a88cfb5c71d.vbs

                          Filesize

                          720B

                          MD5

                          bea91e081473ea29f997ef171b40ff2c

                          SHA1

                          32c379cf76d387266f618306bde41094ec6d9720

                          SHA256

                          7b61eab4c0f3b51e7491aa974cb2a99a6995b0d7aac65e2596d6e299dbcb2ae3

                          SHA512

                          d06fbdd35db09dbcd890650352a251bfb18f702b052cfe3bc3330b3baf03fb49a4d2fde222a48171f85467091be1ce85c5349fc3d7b53e05ce3789dcd58bc6ce

                        • C:\Users\Admin\AppData\Local\Temp\80cac005-5464-42b3-b6f7-ccbdff9ac61b.vbs

                          Filesize

                          721B

                          MD5

                          c7c634c3c2e44e37115f0509f7b29bd3

                          SHA1

                          13565058a292ad0373e634704857aa4cd921531a

                          SHA256

                          c10c95e0d626751694a2ee69230a0a36e24227e0483296e5f00042611e549c6d

                          SHA512

                          cd4ee4139f6e9baeb7799dc2ff24167234c8d4b381b1c38ac75cd4c88923aee51cdca2479cb64a4bf8cc16f5e3d93f053bb4d535276a201f18bb778197e399c9

                        • C:\Users\Admin\AppData\Local\Temp\C6ojzqIZqD.bat

                          Filesize

                          210B

                          MD5

                          8623ca35055e8eecafb3bbeed719b775

                          SHA1

                          716ae42d2bd86aa799d1ab6776f1881f1df260c4

                          SHA256

                          fbaaa99e83c4757fc1107baf75ca7a4d4b548f06b0e16e1e3ed5b910b361729a

                          SHA512

                          8b19435ce1685f22262b4084c9a891a08f8ee0f0e6452460de29795f2523bbe11645edc4f755fa4b8c0701645f11d0a5c15a9dc636739dc6e7d9762581907148

                        • C:\Users\Admin\AppData\Local\Temp\ea2db112-e23a-4cfd-8dc5-ef0f6d680cf3.vbs

                          Filesize

                          721B

                          MD5

                          13f00e77e0fffd18038123841ef4bcb3

                          SHA1

                          266466f4ddfb8c2edeb1af52409f78026c66755a

                          SHA256

                          f76b124101124cacd0bc2d8b55483817f7bf6f2b288fa49e5a004be4c432b27a

                          SHA512

                          aa63e9042ca83170f03a59190ef91ccc32ea9d77b08778e1e3d14ed48497f2d34665808efcd632dd1e8dd3cae9b1388058f6030099fb16f689f565acd0ecd3a9

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                          Filesize

                          7KB

                          MD5

                          c609982eb0d748e330ead233ca27aa1b

                          SHA1

                          3afc9753b9d7aecb3579016c9fd7d6a46d1d9b78

                          SHA256

                          44bc50c8c368ee7902f1e482da71266e7adf36ee6ac87cfe81e62c0e3383b06c

                          SHA512

                          52035c2a7eb033eebb489fb925451a35c644a5cb77e0bd69c90259b89cb19136a09bede6ec63d0218a2f5aa7983523184d741df18a18b3a1985da862cee3e7e0

                        • memory/748-241-0x0000000001270000-0x00000000015AC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1144-288-0x0000000001360000-0x000000000169C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1508-276-0x0000000000EA0000-0x00000000011DC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1532-186-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/1860-26-0x00000000025F0000-0x00000000025F8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-14-0x00000000006B0000-0x00000000006BC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-19-0x00000000022F0000-0x00000000022FC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-20-0x0000000002400000-0x000000000240C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-21-0x0000000002410000-0x000000000241C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-22-0x0000000002420000-0x000000000242C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-24-0x00000000025C0000-0x00000000025CA000-memory.dmp

                          Filesize

                          40KB

                        • memory/1860-23-0x00000000025D0000-0x00000000025D8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-25-0x00000000025E0000-0x00000000025EE000-memory.dmp

                          Filesize

                          56KB

                        • memory/1860-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

                          Filesize

                          4KB

                        • memory/1860-27-0x000000001AA00000-0x000000001AA0E000-memory.dmp

                          Filesize

                          56KB

                        • memory/1860-28-0x000000001AA10000-0x000000001AA1C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-29-0x000000001ADF0000-0x000000001ADF8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-30-0x000000001AE00000-0x000000001AE0A000-memory.dmp

                          Filesize

                          40KB

                        • memory/1860-31-0x000000001AE10000-0x000000001AE1C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-32-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/1860-17-0x00000000022B0000-0x00000000022B8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-16-0x00000000022A0000-0x00000000022AC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1860-15-0x0000000000720000-0x0000000000728000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-18-0x00000000022C0000-0x00000000022D2000-memory.dmp

                          Filesize

                          72KB

                        • memory/1860-13-0x00000000006D0000-0x0000000000726000-memory.dmp

                          Filesize

                          344KB

                        • memory/1860-1-0x00000000008D0000-0x0000000000C0C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1860-191-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/1860-12-0x00000000006A0000-0x00000000006AA000-memory.dmp

                          Filesize

                          40KB

                        • memory/1860-11-0x00000000006C0000-0x00000000006D0000-memory.dmp

                          Filesize

                          64KB

                        • memory/1860-10-0x0000000000690000-0x0000000000698000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-9-0x0000000000670000-0x0000000000686000-memory.dmp

                          Filesize

                          88KB

                        • memory/1860-8-0x0000000000660000-0x0000000000670000-memory.dmp

                          Filesize

                          64KB

                        • memory/1860-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/1860-7-0x0000000000380000-0x0000000000388000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-3-0x00000000002B0000-0x00000000002BE000-memory.dmp

                          Filesize

                          56KB

                        • memory/1860-6-0x0000000000360000-0x000000000037C000-memory.dmp

                          Filesize

                          112KB

                        • memory/1860-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1860-4-0x00000000002C0000-0x00000000002CE000-memory.dmp

                          Filesize

                          56KB

                        • memory/2344-264-0x0000000000380000-0x00000000006BC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/2572-252-0x0000000001260000-0x0000000001272000-memory.dmp

                          Filesize

                          72KB

                        • memory/2736-197-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                          Filesize

                          32KB