Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 02:56
Behavioral task
behavioral1
Sample
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
Resource
win10v2004-20240508-en
General
-
Target
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
-
Size
2.2MB
-
MD5
8a47ebacc81a5930588692128bc229f8
-
SHA1
3323a7c3376d19d5db6decb7c0fe2747848f9725
-
SHA256
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
-
SHA512
d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14
-
SSDEEP
49152:fHS93gX+fmEb8cbLJFVOy4lnxMPPAKYw1adF:/wNTT2MP4Kpa
Malware Config
Signatures
-
DcRat 8 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.execa5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exeschtasks.exepid process 3000 schtasks.exe 2948 schtasks.exe 2576 schtasks.exe 2580 schtasks.exe 2620 schtasks.exe File created C:\Windows\System32\vga\dwm.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\vga\6cb0b6c459d5d3 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2888 schtasks.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 1992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 1992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 1992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 1992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1992 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2008-1-0x0000000001260000-0x00000000014A6000-memory.dmp dcrat C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe dcrat C:\Windows\System32\vga\RCXBA5D.tmp dcrat C:\Windows\System32\netmsg\csrss.exe dcrat C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe dcrat C:\Windows\System32\fmifs\RCXC7BF.tmp dcrat behavioral1/memory/1456-141-0x0000000001020000-0x0000000001266000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-3-0x00000000004D0000-0x00000000004DC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-4-0x00000000004E0000-0x00000000004F0000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-5-0x0000000000B00000-0x0000000000B56000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-8-0x0000000000720000-0x000000000072A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-9-0x0000000000730000-0x000000000073C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-11-0x0000000000CE0000-0x0000000000CEC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2008-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/3040-152-0x0000000000270000-0x00000000002C6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1696-263-0x00000000005C0000-0x0000000000616000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1664 powershell.exe 1940 powershell.exe 1520 powershell.exe 2176 powershell.exe 1936 powershell.exe 1920 powershell.exe 1292 powershell.exe -
Executes dropped EXE 12 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1456 spoolsv.exe 3040 spoolsv.exe 2376 spoolsv.exe 592 spoolsv.exe 440 spoolsv.exe 1520 spoolsv.exe 2000 spoolsv.exe 2596 spoolsv.exe 1640 spoolsv.exe 2924 spoolsv.exe 1060 spoolsv.exe 1696 spoolsv.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\iassvcs\\spoolsv.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\smss.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\fmifs\\services.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\vga\\dwm.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\netmsg\\csrss.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe -
Drops file in System32 directory 20 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exedescription ioc process File opened for modification C:\Windows\System32\vga\dwm.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\vga\RCXB9DF.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\netmsg\RCXBD6B.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\netmsg\csrss.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\iassvcs\RCXC29D.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\fmifs\RCXC741.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\fmifs\RCXC7BF.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\vga\6cb0b6c459d5d3 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\fmifs\c5b4cb5e9653cc ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\vga\RCXBA5D.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\netmsg\RCXBCDD.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\iassvcs\spoolsv.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\fmifs\services.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\iassvcs\RCXC28C.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\fmifs\services.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\vga\dwm.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\netmsg\csrss.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\netmsg\886983d96e3d3e ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\iassvcs\spoolsv.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\iassvcs\f3b6ecef712a24 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2576 schtasks.exe 2580 schtasks.exe 2620 schtasks.exe 2888 schtasks.exe 3000 schtasks.exe 2948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exepid process 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 1520 powershell.exe 2176 powershell.exe 1664 powershell.exe 1292 powershell.exe 1940 powershell.exe 1920 powershell.exe 1936 powershell.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1456 spoolsv.exe Token: SeDebugPrivilege 3040 spoolsv.exe Token: SeDebugPrivilege 2376 spoolsv.exe Token: SeDebugPrivilege 592 spoolsv.exe Token: SeDebugPrivilege 440 spoolsv.exe Token: SeDebugPrivilege 1520 spoolsv.exe Token: SeDebugPrivilege 2000 spoolsv.exe Token: SeDebugPrivilege 2596 spoolsv.exe Token: SeDebugPrivilege 1640 spoolsv.exe Token: SeDebugPrivilege 2924 spoolsv.exe Token: SeDebugPrivilege 1060 spoolsv.exe Token: SeDebugPrivilege 1696 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.execmd.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exedescription pid process target process PID 2008 wrote to memory of 1520 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1520 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1520 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 2176 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 2176 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 2176 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1940 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1940 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1940 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1664 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1664 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1664 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1936 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1936 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1936 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1292 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1292 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1292 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1920 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1920 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 1920 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 2008 wrote to memory of 2416 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe cmd.exe PID 2008 wrote to memory of 2416 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe cmd.exe PID 2008 wrote to memory of 2416 2008 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe cmd.exe PID 2416 wrote to memory of 1624 2416 cmd.exe w32tm.exe PID 2416 wrote to memory of 1624 2416 cmd.exe w32tm.exe PID 2416 wrote to memory of 1624 2416 cmd.exe w32tm.exe PID 2416 wrote to memory of 1456 2416 cmd.exe spoolsv.exe PID 2416 wrote to memory of 1456 2416 cmd.exe spoolsv.exe PID 2416 wrote to memory of 1456 2416 cmd.exe spoolsv.exe PID 1456 wrote to memory of 2800 1456 spoolsv.exe WScript.exe PID 1456 wrote to memory of 2800 1456 spoolsv.exe WScript.exe PID 1456 wrote to memory of 2800 1456 spoolsv.exe WScript.exe PID 1456 wrote to memory of 2116 1456 spoolsv.exe WScript.exe PID 1456 wrote to memory of 2116 1456 spoolsv.exe WScript.exe PID 1456 wrote to memory of 2116 1456 spoolsv.exe WScript.exe PID 2800 wrote to memory of 3040 2800 WScript.exe spoolsv.exe PID 2800 wrote to memory of 3040 2800 WScript.exe spoolsv.exe PID 2800 wrote to memory of 3040 2800 WScript.exe spoolsv.exe PID 3040 wrote to memory of 2908 3040 spoolsv.exe WScript.exe PID 3040 wrote to memory of 2908 3040 spoolsv.exe WScript.exe PID 3040 wrote to memory of 2908 3040 spoolsv.exe WScript.exe PID 3040 wrote to memory of 2612 3040 spoolsv.exe WScript.exe PID 3040 wrote to memory of 2612 3040 spoolsv.exe WScript.exe PID 3040 wrote to memory of 2612 3040 spoolsv.exe WScript.exe PID 2908 wrote to memory of 2376 2908 WScript.exe spoolsv.exe PID 2908 wrote to memory of 2376 2908 WScript.exe spoolsv.exe PID 2908 wrote to memory of 2376 2908 WScript.exe spoolsv.exe PID 2376 wrote to memory of 1904 2376 spoolsv.exe WScript.exe PID 2376 wrote to memory of 1904 2376 spoolsv.exe WScript.exe PID 2376 wrote to memory of 1904 2376 spoolsv.exe WScript.exe PID 2376 wrote to memory of 560 2376 spoolsv.exe WScript.exe PID 2376 wrote to memory of 560 2376 spoolsv.exe WScript.exe PID 2376 wrote to memory of 560 2376 spoolsv.exe WScript.exe PID 1904 wrote to memory of 592 1904 WScript.exe spoolsv.exe PID 1904 wrote to memory of 592 1904 WScript.exe spoolsv.exe PID 1904 wrote to memory of 592 1904 WScript.exe spoolsv.exe PID 592 wrote to memory of 2644 592 spoolsv.exe WScript.exe PID 592 wrote to memory of 2644 592 spoolsv.exe WScript.exe PID 592 wrote to memory of 2644 592 spoolsv.exe WScript.exe PID 592 wrote to memory of 1960 592 spoolsv.exe WScript.exe PID 592 wrote to memory of 1960 592 spoolsv.exe WScript.exe PID 592 wrote to memory of 1960 592 spoolsv.exe WScript.exe PID 2644 wrote to memory of 440 2644 WScript.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vga\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netmsg\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iassvcs\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fmifs\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1624
-
C:\Windows\System32\iassvcs\spoolsv.exe"C:\Windows\System32\iassvcs\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs"12⤵PID:2944
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs"14⤵PID:1972
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs"16⤵PID:1580
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs"18⤵PID:2784
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs"20⤵PID:1384
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs"22⤵PID:592
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs"24⤵PID:1752
-
C:\Windows\System32\iassvcs\spoolsv.exeC:\Windows\System32\iassvcs\spoolsv.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs"26⤵PID:1728
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f6f2e6-30dd-4812-b3ef-00c47ccf9d10.vbs"26⤵PID:2928
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2377991-683d-4e97-aaa2-854cc1ec4d2f.vbs"24⤵PID:1084
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed16267-7572-4476-a624-97c44b236cd8.vbs"22⤵PID:1976
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a2e2bd4-0db1-46de-a56f-cf90b66c524c.vbs"20⤵PID:2012
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e56b1e29-b58b-4187-bb7e-63e18a08ec80.vbs"18⤵PID:3040
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657353cb-fe0d-4de0-8972-e18565c3d4b0.vbs"16⤵PID:2968
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3a8f9b-f414-400d-897e-0e3f8b0ff020.vbs"14⤵PID:2688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546b53b3-d3fb-410d-bde4-f2e6013021b3.vbs"12⤵PID:1936
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6310bd7-df60-4b26-b965-586cac677826.vbs"10⤵PID:1960
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730f488e-633f-431e-a67e-c6d1d1724d72.vbs"8⤵PID:560
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa24909-e1f0-424b-9ffa-f47c7a818ec8.vbs"6⤵PID:2612
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs"4⤵PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\vga\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\netmsg\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\fmifs\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exeFilesize
2.2MB
MD58a47ebacc81a5930588692128bc229f8
SHA13323a7c3376d19d5db6decb7c0fe2747848f9725
SHA256ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
SHA512d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14
-
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exeFilesize
2.2MB
MD5f6cec2c40749bf1daca6d68699c7a02b
SHA1615e3f7b06c844b9a5c4cc1bdb31c9508b7d2acf
SHA256d9a534a6d94b49787b49e100a7a0be9f771b8d13e0423d114a38e3f3336164b0
SHA512ea24b7b563c09349d5055fe4d7e535c8d058b53168078a99156311ec1400fc864094f4c126737207075e2a06ba076752f51bfa8f081955357c859001f6facee0
-
C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbsFilesize
715B
MD521d0c11e5e3ddaf088a0bffe6240cbdd
SHA1d672b7433ee2bb00b86cf67d6cb32419c762885e
SHA256bb322a3f7f7ba34b0620438d1765d2e815a0b7de2b4252ca1c0e09a33d992085
SHA5124037c16b4c553994017289a41921fe69db0d9ddf3063ec2b486e5bf5f6e63975811c52924c1f54a03472ee6045a8f926ac50c990dc8e376e0ced48fe2d33b112
-
C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbsFilesize
715B
MD5217e248ac09db2aee4a59288b9de3c94
SHA135a8b72f702b2ca1d26f1c5e3954a3db071b6597
SHA2567b32000193a3f7c031413a0d6a40fc682e354b2f54a51ae61b9c202fa4a49979
SHA512dbf743ea5ee297f3fe7ad29025b1768a2eefbbbb8dd3631ed5bbbf4b7b2f3114b80cb4c7e62b5f3bb1983d4f575d5a2fd3428306a74d3450bc717695ac6e7087
-
C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbsFilesize
715B
MD5cb4460b7005b798f875253a274b84e95
SHA15c34a6c6b84d94ba74d717a049ac9818df3225ff
SHA256a709735063fd1ffd625875b3afd943244c445c4d45d52a786555bb96022bb761
SHA5127e5638694de28bcf6296824f109c1195259a12764415c61549fa22758373dc116ef822a1c261885718f7a4123e3a1e73baa866f55fd970a02e46e1b1a9b94160
-
C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbsFilesize
715B
MD595bd8089f91d4c460255d2d073345b66
SHA158b0a155bdf3db0e46f174239caae269732b3ba5
SHA2563c277ef443fe66f9d9ab9f83cddd5dd9dfb1c8787d498496f14c6cf701bc7014
SHA51209d9d76609f88babad5e535ad78660ba036a6fa3ac358e087437c741c1943ec5ac6d478f4e540bfee7af65b1eaa142706d8dc4629ef5375ecd74847497deac24
-
C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbsFilesize
715B
MD59f4cbd89974087c2a51253d740a27cca
SHA1e4a9870b19bdbafa10a47ff3f8b0fd78454ed672
SHA256c47e778f164ccf6b9366ae3a44a87d77af2a2f5ea264e44c853889a8a3ec160e
SHA5124bb50d6372060f1b57b842287579f43ca02e51de7cc5eae9ccdf4325bd282991568796309fd6c8479b656d7f82a9a3494e3f48707e6603dbc263eef7e20f996e
-
C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbsFilesize
715B
MD50ff4692ba272730a6e476a873c2aef1c
SHA12d392c0d382fb77f999d49a03b76d955df78570f
SHA256af1ab028216c5727b6994d910d13df63b652557f9f7dd63558df36807c417ca7
SHA512945348448c9002d11c44bb73a4c13992636356e8698c34b936f70700a7e998b03b46ce7df3cda34c66c277af872cffd03a9a6958f4a6d1f6d9cc9f55e873da7f
-
C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbsFilesize
491B
MD54b361db7162ee3a19cfdbe4d8554a889
SHA19131769e7294f9df8e4248bc33fd426470768fd3
SHA256a0b0e8fb1849095a70d5678704b9c386e7fc4d1ab57620ca02677c244b6d8bbb
SHA512d87bf7ce0a4c8ee9fbbafd01920b410dd42ad30fd3ccbc24706bb39c23bc0aa72d89d4533efd50e7a883b165c19fd54626f63b987f36cf337a452c170c2b2c86
-
C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbsFilesize
715B
MD5fe8a9074ab3bc15b180e0164acf63923
SHA14b830468b1f69422d86970eff1ca9cce92b2e215
SHA256f53d4fa1fe0605443f72902990eb62ecaca6fa6d503776eecbd2e3e11510851f
SHA5125ed8b415198aadd8d86e5d2131ca1510481144609ca687ac920a238c0a4615c4621d89e684e0b66b7229bd06401fb5be6be88ffcb165dfec9a9a31cbae5b137e
-
C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.batFilesize
203B
MD5c4d92617f32d772464d7f4efb445a131
SHA1037760c2aa3a4cbf69f762d45d8f65e704449631
SHA256fcc0e723581d83d5663cec07ec2293500dcfb25e98777a3f9474d61059a7e432
SHA5126c449155f1f9ef3dc43cd8d1efc0d2b1bcd232f6e61185ebdebbe521d57e2010954303850492d4c77a3f04a1775b4009e2f0ac0712a314a3f9a82c08d8073403
-
C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbsFilesize
715B
MD55de15873e0b49be19dc3215e233a92bb
SHA1eb1c2d2398623411ecf27a2213f0618b8301c5da
SHA256d8c14911d2f4d09b661c98f52a5a4eebecaa7ef3466750d0896745934a6489ce
SHA512b5a351ac9f134f61cf9d16a28d2828d31b7cc3f5eb9f5bab013e9b838ad7c23d12e37fd1929904aef9739c7a18452f5e9983141c2427f75105a8a43e81d1b431
-
C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbsFilesize
715B
MD58b018b8ad854444d2cb04b074c027fd8
SHA100498348536cf51e29b5122ef0683012d966be1b
SHA256b79b4f700d0c2cb5243b9ec67d37d0763a73a9e71ede90ae751fa09503dc23f0
SHA512526710f09ae3eeac05acdcdc8d8cbb1f94a1518e19e5f22f7fbb0e389e3f587f5f2d3931edadc6bdcd40203506005be19ad1f7ed77c85aef8deb28a3f39e906a
-
C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbsFilesize
715B
MD5e24f09a874ce1dd0479c57976827fd7f
SHA14e81fecc79700f92538b7ca5114fdedcf55391cc
SHA256ec0bbee12c437cc154e8ba19ea19db998d433aebfee84060f9229fb5f7544428
SHA5129d0b921a345f70b18b3a99b02ebb72b7d9853425efb886a46318e9991ffe35d46c80477b94c77ffcc20a63b117bab93a83d9339ed856bedd78a1effd06918cfb
-
C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbsFilesize
714B
MD5e156c4ec27bfe79a088bf4f794222866
SHA1a315e7bd18601cdba9b050765b0072ac7cd92565
SHA2569450c30f4c75620e174ec6c1f1088da1c5b0f3043e35e4ad8476f060e146c516
SHA5125756dcc41113a24bfd9bea2c9a30a6a5fa875c0aaf793fad6c1499f5aa66ef97676624226ce4fea606234c3b10bcfc6c9827007825f5eca0910b7be12b345fc1
-
C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbsFilesize
714B
MD557be99fed90681eff6c13d5bcc62e22e
SHA1db9f4be11739c196437c6922aae43396a7a150cd
SHA2567117840ffd95470ee9b24957072ab58c42f0caa1d4a3931d12222292da84ec40
SHA512053697a5d8adf23df776bfb988bc14ac5e275abd465d27907a22af559749aeba8d6cd18078bd0e945bd24867baa2cb60c2b846ac387503c4d9792916a387a7a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5401811914b1cd4e73a154a0c72251354
SHA128c172374439338cb990207d0e1856a9da3b4ab5
SHA256a37e0ed93fe9b3ec9618480a2c7c5a7b62927c2e46c60cfa2fdacf89bb6e63d5
SHA512a09e4656d92868c3a118bc6e8339559008d11533bc3d4f31055e826f691beebdac20c3d17646f163543939fa5acea572ca4cf9a84941e92ee31c86105a37b5e1
-
C:\Windows\System32\fmifs\RCXC7BF.tmpFilesize
2.2MB
MD58bbddf52bbebab4711c8876040274f6f
SHA1ddcc063bba90c2b289a02a1aafcd8b721cf57714
SHA256c5e179d62ba64a761ac1a50c96c73a92bc5e810b61ef2e28ce5199ad4672bcb7
SHA512cb47035f923c92439e495114eabfcfa97fc5d97519ad94430251c1f6d7307cb76e0a03cc1e88163d1fce4bafcb0f86b8eec67eaae0df5b0732513d96dbe1dfe3
-
C:\Windows\System32\netmsg\csrss.exeFilesize
2.2MB
MD579869f0813473ce369325084336bd639
SHA1c268bad98f7b53ae47e44799ea0a97ef840cac43
SHA25672ef1b4c7a2bae2592db9887bd756b8f24302ce9c902735aba9327f226a9ffb9
SHA512840469e86dc53b5c4267078586f12dca88c28c0d6f6e8602ad78ba7c6ca7d6a1183d0cba19aee53c28c8c979a086e0905a5aaf94cf50cb85ff07d87260efc46e
-
C:\Windows\System32\vga\RCXBA5D.tmpFilesize
2.2MB
MD54fde70524de984333863598880cb9cc7
SHA19917b609b02886d7774884dfa8c4df4fef949600
SHA256dd85a7ce1af62aaf4f44492da231f31c99bb3948b00bb96cf49eb28d52e15bde
SHA512fcfb4b84e97b5d641dd93d97cf81d0730f3e29f4a89fbb98a8d5cc52f6d8beb8c3b0b787b8e31220f0d9a677887e2bbbaac47e32c8044598f8fa523389ae702b
-
memory/1456-141-0x0000000001020000-0x0000000001266000-memory.dmpFilesize
2.3MB
-
memory/1520-115-0x000000001B430000-0x000000001B712000-memory.dmpFilesize
2.9MB
-
memory/1520-126-0x0000000002560000-0x0000000002568000-memory.dmpFilesize
32KB
-
memory/1696-263-0x00000000005C0000-0x0000000000616000-memory.dmpFilesize
344KB
-
memory/2008-9-0x0000000000730000-0x000000000073C000-memory.dmpFilesize
48KB
-
memory/2008-8-0x0000000000720000-0x000000000072A000-memory.dmpFilesize
40KB
-
memory/2008-12-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/2008-1-0x0000000001260000-0x00000000014A6000-memory.dmpFilesize
2.3MB
-
memory/2008-11-0x0000000000CE0000-0x0000000000CEC000-memory.dmpFilesize
48KB
-
memory/2008-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmpFilesize
40KB
-
memory/2008-137-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/2008-13-0x0000000000B50000-0x0000000000B5A000-memory.dmpFilesize
40KB
-
memory/2008-7-0x0000000000500000-0x000000000050A000-memory.dmpFilesize
40KB
-
memory/2008-6-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/2008-5-0x0000000000B00000-0x0000000000B56000-memory.dmpFilesize
344KB
-
memory/2008-4-0x00000000004E0000-0x00000000004F0000-memory.dmpFilesize
64KB
-
memory/2008-3-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/2008-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/2008-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmpFilesize
4KB
-
memory/3040-152-0x0000000000270000-0x00000000002C6000-memory.dmpFilesize
344KB