Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 02:56

General

  • Target

    ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe

  • Size

    2.2MB

  • MD5

    8a47ebacc81a5930588692128bc229f8

  • SHA1

    3323a7c3376d19d5db6decb7c0fe2747848f9725

  • SHA256

    ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908

  • SHA512

    d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

  • SSDEEP

    49152:fHS93gX+fmEb8cbLJFVOy4lnxMPPAKYw1adF:/wNTT2MP4Kpa

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in System32 directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
    "C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"
    1⤵
    • DcRat
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vga\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netmsg\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iassvcs\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fmifs\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1624
        • C:\Windows\System32\iassvcs\spoolsv.exe
          "C:\Windows\System32\iassvcs\spoolsv.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\System32\iassvcs\spoolsv.exe
              C:\Windows\System32\iassvcs\spoolsv.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2908
                • C:\Windows\System32\iassvcs\spoolsv.exe
                  C:\Windows\System32\iassvcs\spoolsv.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2376
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1904
                    • C:\Windows\System32\iassvcs\spoolsv.exe
                      C:\Windows\System32\iassvcs\spoolsv.exe
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:592
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2644
                        • C:\Windows\System32\iassvcs\spoolsv.exe
                          C:\Windows\System32\iassvcs\spoolsv.exe
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:440
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs"
                            12⤵
                              PID:2944
                              • C:\Windows\System32\iassvcs\spoolsv.exe
                                C:\Windows\System32\iassvcs\spoolsv.exe
                                13⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1520
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs"
                                  14⤵
                                    PID:1972
                                    • C:\Windows\System32\iassvcs\spoolsv.exe
                                      C:\Windows\System32\iassvcs\spoolsv.exe
                                      15⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2000
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs"
                                        16⤵
                                          PID:1580
                                          • C:\Windows\System32\iassvcs\spoolsv.exe
                                            C:\Windows\System32\iassvcs\spoolsv.exe
                                            17⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2596
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs"
                                              18⤵
                                                PID:2784
                                                • C:\Windows\System32\iassvcs\spoolsv.exe
                                                  C:\Windows\System32\iassvcs\spoolsv.exe
                                                  19⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1640
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs"
                                                    20⤵
                                                      PID:1384
                                                      • C:\Windows\System32\iassvcs\spoolsv.exe
                                                        C:\Windows\System32\iassvcs\spoolsv.exe
                                                        21⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2924
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs"
                                                          22⤵
                                                            PID:592
                                                            • C:\Windows\System32\iassvcs\spoolsv.exe
                                                              C:\Windows\System32\iassvcs\spoolsv.exe
                                                              23⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1060
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs"
                                                                24⤵
                                                                  PID:1752
                                                                  • C:\Windows\System32\iassvcs\spoolsv.exe
                                                                    C:\Windows\System32\iassvcs\spoolsv.exe
                                                                    25⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1696
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs"
                                                                      26⤵
                                                                        PID:1728
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f6f2e6-30dd-4812-b3ef-00c47ccf9d10.vbs"
                                                                        26⤵
                                                                          PID:2928
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2377991-683d-4e97-aaa2-854cc1ec4d2f.vbs"
                                                                      24⤵
                                                                        PID:1084
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed16267-7572-4476-a624-97c44b236cd8.vbs"
                                                                    22⤵
                                                                      PID:1976
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a2e2bd4-0db1-46de-a56f-cf90b66c524c.vbs"
                                                                  20⤵
                                                                    PID:2012
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e56b1e29-b58b-4187-bb7e-63e18a08ec80.vbs"
                                                                18⤵
                                                                  PID:3040
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657353cb-fe0d-4de0-8972-e18565c3d4b0.vbs"
                                                              16⤵
                                                                PID:2968
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3a8f9b-f414-400d-897e-0e3f8b0ff020.vbs"
                                                            14⤵
                                                              PID:2688
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546b53b3-d3fb-410d-bde4-f2e6013021b3.vbs"
                                                          12⤵
                                                            PID:1936
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6310bd7-df60-4b26-b965-586cac677826.vbs"
                                                        10⤵
                                                          PID:1960
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730f488e-633f-431e-a67e-c6d1d1724d72.vbs"
                                                      8⤵
                                                        PID:560
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa24909-e1f0-424b-9ffa-f47c7a818ec8.vbs"
                                                    6⤵
                                                      PID:2612
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs"
                                                  4⤵
                                                    PID:2116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\vga\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\netmsg\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2576
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\fmifs\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2620

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              8a47ebacc81a5930588692128bc229f8

                                              SHA1

                                              3323a7c3376d19d5db6decb7c0fe2747848f9725

                                              SHA256

                                              ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908

                                              SHA512

                                              d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

                                            • C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              f6cec2c40749bf1daca6d68699c7a02b

                                              SHA1

                                              615e3f7b06c844b9a5c4cc1bdb31c9508b7d2acf

                                              SHA256

                                              d9a534a6d94b49787b49e100a7a0be9f771b8d13e0423d114a38e3f3336164b0

                                              SHA512

                                              ea24b7b563c09349d5055fe4d7e535c8d058b53168078a99156311ec1400fc864094f4c126737207075e2a06ba076752f51bfa8f081955357c859001f6facee0

                                            • C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs
                                              Filesize

                                              715B

                                              MD5

                                              21d0c11e5e3ddaf088a0bffe6240cbdd

                                              SHA1

                                              d672b7433ee2bb00b86cf67d6cb32419c762885e

                                              SHA256

                                              bb322a3f7f7ba34b0620438d1765d2e815a0b7de2b4252ca1c0e09a33d992085

                                              SHA512

                                              4037c16b4c553994017289a41921fe69db0d9ddf3063ec2b486e5bf5f6e63975811c52924c1f54a03472ee6045a8f926ac50c990dc8e376e0ced48fe2d33b112

                                            • C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs
                                              Filesize

                                              715B

                                              MD5

                                              217e248ac09db2aee4a59288b9de3c94

                                              SHA1

                                              35a8b72f702b2ca1d26f1c5e3954a3db071b6597

                                              SHA256

                                              7b32000193a3f7c031413a0d6a40fc682e354b2f54a51ae61b9c202fa4a49979

                                              SHA512

                                              dbf743ea5ee297f3fe7ad29025b1768a2eefbbbb8dd3631ed5bbbf4b7b2f3114b80cb4c7e62b5f3bb1983d4f575d5a2fd3428306a74d3450bc717695ac6e7087

                                            • C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs
                                              Filesize

                                              715B

                                              MD5

                                              cb4460b7005b798f875253a274b84e95

                                              SHA1

                                              5c34a6c6b84d94ba74d717a049ac9818df3225ff

                                              SHA256

                                              a709735063fd1ffd625875b3afd943244c445c4d45d52a786555bb96022bb761

                                              SHA512

                                              7e5638694de28bcf6296824f109c1195259a12764415c61549fa22758373dc116ef822a1c261885718f7a4123e3a1e73baa866f55fd970a02e46e1b1a9b94160

                                            • C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs
                                              Filesize

                                              715B

                                              MD5

                                              95bd8089f91d4c460255d2d073345b66

                                              SHA1

                                              58b0a155bdf3db0e46f174239caae269732b3ba5

                                              SHA256

                                              3c277ef443fe66f9d9ab9f83cddd5dd9dfb1c8787d498496f14c6cf701bc7014

                                              SHA512

                                              09d9d76609f88babad5e535ad78660ba036a6fa3ac358e087437c741c1943ec5ac6d478f4e540bfee7af65b1eaa142706d8dc4629ef5375ecd74847497deac24

                                            • C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs
                                              Filesize

                                              715B

                                              MD5

                                              9f4cbd89974087c2a51253d740a27cca

                                              SHA1

                                              e4a9870b19bdbafa10a47ff3f8b0fd78454ed672

                                              SHA256

                                              c47e778f164ccf6b9366ae3a44a87d77af2a2f5ea264e44c853889a8a3ec160e

                                              SHA512

                                              4bb50d6372060f1b57b842287579f43ca02e51de7cc5eae9ccdf4325bd282991568796309fd6c8479b656d7f82a9a3494e3f48707e6603dbc263eef7e20f996e

                                            • C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs
                                              Filesize

                                              715B

                                              MD5

                                              0ff4692ba272730a6e476a873c2aef1c

                                              SHA1

                                              2d392c0d382fb77f999d49a03b76d955df78570f

                                              SHA256

                                              af1ab028216c5727b6994d910d13df63b652557f9f7dd63558df36807c417ca7

                                              SHA512

                                              945348448c9002d11c44bb73a4c13992636356e8698c34b936f70700a7e998b03b46ce7df3cda34c66c277af872cffd03a9a6958f4a6d1f6d9cc9f55e873da7f

                                            • C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs
                                              Filesize

                                              491B

                                              MD5

                                              4b361db7162ee3a19cfdbe4d8554a889

                                              SHA1

                                              9131769e7294f9df8e4248bc33fd426470768fd3

                                              SHA256

                                              a0b0e8fb1849095a70d5678704b9c386e7fc4d1ab57620ca02677c244b6d8bbb

                                              SHA512

                                              d87bf7ce0a4c8ee9fbbafd01920b410dd42ad30fd3ccbc24706bb39c23bc0aa72d89d4533efd50e7a883b165c19fd54626f63b987f36cf337a452c170c2b2c86

                                            • C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs
                                              Filesize

                                              715B

                                              MD5

                                              fe8a9074ab3bc15b180e0164acf63923

                                              SHA1

                                              4b830468b1f69422d86970eff1ca9cce92b2e215

                                              SHA256

                                              f53d4fa1fe0605443f72902990eb62ecaca6fa6d503776eecbd2e3e11510851f

                                              SHA512

                                              5ed8b415198aadd8d86e5d2131ca1510481144609ca687ac920a238c0a4615c4621d89e684e0b66b7229bd06401fb5be6be88ffcb165dfec9a9a31cbae5b137e

                                            • C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat
                                              Filesize

                                              203B

                                              MD5

                                              c4d92617f32d772464d7f4efb445a131

                                              SHA1

                                              037760c2aa3a4cbf69f762d45d8f65e704449631

                                              SHA256

                                              fcc0e723581d83d5663cec07ec2293500dcfb25e98777a3f9474d61059a7e432

                                              SHA512

                                              6c449155f1f9ef3dc43cd8d1efc0d2b1bcd232f6e61185ebdebbe521d57e2010954303850492d4c77a3f04a1775b4009e2f0ac0712a314a3f9a82c08d8073403

                                            • C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs
                                              Filesize

                                              715B

                                              MD5

                                              5de15873e0b49be19dc3215e233a92bb

                                              SHA1

                                              eb1c2d2398623411ecf27a2213f0618b8301c5da

                                              SHA256

                                              d8c14911d2f4d09b661c98f52a5a4eebecaa7ef3466750d0896745934a6489ce

                                              SHA512

                                              b5a351ac9f134f61cf9d16a28d2828d31b7cc3f5eb9f5bab013e9b838ad7c23d12e37fd1929904aef9739c7a18452f5e9983141c2427f75105a8a43e81d1b431

                                            • C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs
                                              Filesize

                                              715B

                                              MD5

                                              8b018b8ad854444d2cb04b074c027fd8

                                              SHA1

                                              00498348536cf51e29b5122ef0683012d966be1b

                                              SHA256

                                              b79b4f700d0c2cb5243b9ec67d37d0763a73a9e71ede90ae751fa09503dc23f0

                                              SHA512

                                              526710f09ae3eeac05acdcdc8d8cbb1f94a1518e19e5f22f7fbb0e389e3f587f5f2d3931edadc6bdcd40203506005be19ad1f7ed77c85aef8deb28a3f39e906a

                                            • C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs
                                              Filesize

                                              715B

                                              MD5

                                              e24f09a874ce1dd0479c57976827fd7f

                                              SHA1

                                              4e81fecc79700f92538b7ca5114fdedcf55391cc

                                              SHA256

                                              ec0bbee12c437cc154e8ba19ea19db998d433aebfee84060f9229fb5f7544428

                                              SHA512

                                              9d0b921a345f70b18b3a99b02ebb72b7d9853425efb886a46318e9991ffe35d46c80477b94c77ffcc20a63b117bab93a83d9339ed856bedd78a1effd06918cfb

                                            • C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs
                                              Filesize

                                              714B

                                              MD5

                                              e156c4ec27bfe79a088bf4f794222866

                                              SHA1

                                              a315e7bd18601cdba9b050765b0072ac7cd92565

                                              SHA256

                                              9450c30f4c75620e174ec6c1f1088da1c5b0f3043e35e4ad8476f060e146c516

                                              SHA512

                                              5756dcc41113a24bfd9bea2c9a30a6a5fa875c0aaf793fad6c1499f5aa66ef97676624226ce4fea606234c3b10bcfc6c9827007825f5eca0910b7be12b345fc1

                                            • C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs
                                              Filesize

                                              714B

                                              MD5

                                              57be99fed90681eff6c13d5bcc62e22e

                                              SHA1

                                              db9f4be11739c196437c6922aae43396a7a150cd

                                              SHA256

                                              7117840ffd95470ee9b24957072ab58c42f0caa1d4a3931d12222292da84ec40

                                              SHA512

                                              053697a5d8adf23df776bfb988bc14ac5e275abd465d27907a22af559749aeba8d6cd18078bd0e945bd24867baa2cb60c2b846ac387503c4d9792916a387a7a6

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                              Filesize

                                              7KB

                                              MD5

                                              401811914b1cd4e73a154a0c72251354

                                              SHA1

                                              28c172374439338cb990207d0e1856a9da3b4ab5

                                              SHA256

                                              a37e0ed93fe9b3ec9618480a2c7c5a7b62927c2e46c60cfa2fdacf89bb6e63d5

                                              SHA512

                                              a09e4656d92868c3a118bc6e8339559008d11533bc3d4f31055e826f691beebdac20c3d17646f163543939fa5acea572ca4cf9a84941e92ee31c86105a37b5e1

                                            • C:\Windows\System32\fmifs\RCXC7BF.tmp
                                              Filesize

                                              2.2MB

                                              MD5

                                              8bbddf52bbebab4711c8876040274f6f

                                              SHA1

                                              ddcc063bba90c2b289a02a1aafcd8b721cf57714

                                              SHA256

                                              c5e179d62ba64a761ac1a50c96c73a92bc5e810b61ef2e28ce5199ad4672bcb7

                                              SHA512

                                              cb47035f923c92439e495114eabfcfa97fc5d97519ad94430251c1f6d7307cb76e0a03cc1e88163d1fce4bafcb0f86b8eec67eaae0df5b0732513d96dbe1dfe3

                                            • C:\Windows\System32\netmsg\csrss.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              79869f0813473ce369325084336bd639

                                              SHA1

                                              c268bad98f7b53ae47e44799ea0a97ef840cac43

                                              SHA256

                                              72ef1b4c7a2bae2592db9887bd756b8f24302ce9c902735aba9327f226a9ffb9

                                              SHA512

                                              840469e86dc53b5c4267078586f12dca88c28c0d6f6e8602ad78ba7c6ca7d6a1183d0cba19aee53c28c8c979a086e0905a5aaf94cf50cb85ff07d87260efc46e

                                            • C:\Windows\System32\vga\RCXBA5D.tmp
                                              Filesize

                                              2.2MB

                                              MD5

                                              4fde70524de984333863598880cb9cc7

                                              SHA1

                                              9917b609b02886d7774884dfa8c4df4fef949600

                                              SHA256

                                              dd85a7ce1af62aaf4f44492da231f31c99bb3948b00bb96cf49eb28d52e15bde

                                              SHA512

                                              fcfb4b84e97b5d641dd93d97cf81d0730f3e29f4a89fbb98a8d5cc52f6d8beb8c3b0b787b8e31220f0d9a677887e2bbbaac47e32c8044598f8fa523389ae702b

                                            • memory/1456-141-0x0000000001020000-0x0000000001266000-memory.dmp
                                              Filesize

                                              2.3MB

                                            • memory/1520-115-0x000000001B430000-0x000000001B712000-memory.dmp
                                              Filesize

                                              2.9MB

                                            • memory/1520-126-0x0000000002560000-0x0000000002568000-memory.dmp
                                              Filesize

                                              32KB

                                            • memory/1696-263-0x00000000005C0000-0x0000000000616000-memory.dmp
                                              Filesize

                                              344KB

                                            • memory/2008-9-0x0000000000730000-0x000000000073C000-memory.dmp
                                              Filesize

                                              48KB

                                            • memory/2008-8-0x0000000000720000-0x000000000072A000-memory.dmp
                                              Filesize

                                              40KB

                                            • memory/2008-12-0x0000000000740000-0x0000000000748000-memory.dmp
                                              Filesize

                                              32KB

                                            • memory/2008-1-0x0000000001260000-0x00000000014A6000-memory.dmp
                                              Filesize

                                              2.3MB

                                            • memory/2008-11-0x0000000000CE0000-0x0000000000CEC000-memory.dmp
                                              Filesize

                                              48KB

                                            • memory/2008-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
                                              Filesize

                                              40KB

                                            • memory/2008-137-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
                                              Filesize

                                              9.9MB

                                            • memory/2008-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp
                                              Filesize

                                              40KB

                                            • memory/2008-7-0x0000000000500000-0x000000000050A000-memory.dmp
                                              Filesize

                                              40KB

                                            • memory/2008-6-0x00000000004F0000-0x00000000004F8000-memory.dmp
                                              Filesize

                                              32KB

                                            • memory/2008-5-0x0000000000B00000-0x0000000000B56000-memory.dmp
                                              Filesize

                                              344KB

                                            • memory/2008-4-0x00000000004E0000-0x00000000004F0000-memory.dmp
                                              Filesize

                                              64KB

                                            • memory/2008-3-0x00000000004D0000-0x00000000004DC000-memory.dmp
                                              Filesize

                                              48KB

                                            • memory/2008-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
                                              Filesize

                                              9.9MB

                                            • memory/2008-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp
                                              Filesize

                                              4KB

                                            • memory/3040-152-0x0000000000270000-0x00000000002C6000-memory.dmp
                                              Filesize

                                              344KB