Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-09-2024 03:06
General
-
Target
Trojan.MSIL.Siggen.exe
-
Size
4.9MB
-
MD5
fa6a70b32304b41f2ca98115cae843f0
-
SHA1
15e0536c0b4be4fca7ee2a03a7e40a4075a18950
-
SHA256
f19f7803a88945eb9370a47e0ac9c59a2f25d9a18c2af844298dbdfcc5177ddf
-
SHA512
6226c2d25875e7b7fc930094ebfb6cbc67dfd4c52c0c3211adcf3a18c0ca5b9b6d5d68312dc44522fd8b36b777cd2cee0c201c24228e751d1e8e506491839279
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 27 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h26RurFrqG.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9c06712-16a2-4c98-abb3-5004c6cac1e0.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d06fe193-3437-4e5f-a59b-10dafbc6ec97.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b650c0-edc1-4355-8715-17c87e39e9a0.vbs"8⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da1a187c-5614-40a9-8628-515965bda3c1.vbs"10⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b8f87a-031d-4268-a8e4-a94f3acc319e.vbs"12⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8209b81-335f-4546-90aa-d65eb0047f04.vbs"14⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a201cf64-b314-4862-81a7-c4d94b2561d9.vbs"16⤵
-
C:\Users\All Users\Templates\wininit.exe"C:\Users\All Users\Templates\wininit.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63359417-a0d7-4168-907f-5d19d88d622f.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc63591d-6ea4-4366-9cbd-c3f28bdcc957.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c10aa9da-c99a-4a99-836d-e891156bc36f.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fffbefa-6fa3-403c-86e0-cb905f80c085.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\728d8fe5-cf4c-4eda-9d1f-22a4c12ead64.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c94144d2-9121-4b5d-aa11-5cc1319be54f.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c968cff3-7b8f-4d34-a849-0c5c5dc9d58c.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c52b57a-2a6f-4df1-a498-3c0db43222c7.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d785f93f-cf76-41c2-b984-e63c0f68c7d1.vbs"4⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Trojan.MSIL.SiggenT" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Trojan.MSIL.Siggen.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Trojan.MSIL.Siggen" /sc ONLOGON /tr "'C:\Users\All Users\Trojan.MSIL.Siggen.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Trojan.MSIL.SiggenT" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Trojan.MSIL.Siggen.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\02b650c0-edc1-4355-8715-17c87e39e9a0.vbsFilesize
716B
MD5238d4b81d9e4c6b372fe4df5959134d0
SHA124ec6addabf19155275ec523e35a0ed70a8dfc44
SHA256ffcc013d6ba939ad19fc7a263bed935f8a818558bab07e6639123f20d65aa6a7
SHA51296a402d128cd8017d11c5c6578827f6392efa71c71141e6c735a69df288c2289ef07e1c77d83401a308199602fc4d82064f73abf4feb738e7bdc34e779493c55
-
C:\Users\Admin\AppData\Local\Temp\63359417-a0d7-4168-907f-5d19d88d622f.vbsFilesize
716B
MD547d4fa049c01c90b70c89b74472e0deb
SHA1e8130f94d4fcfee63d1726e28068ddae754273d7
SHA256ab36cd96b60cf170a09df4b3015b0da7452d8f9d89d6c102b83e74cc7bf6f5c5
SHA512e1356fc06951ed7aff0f685900d92e6b921b0f24430cf302e317b5f6172eab666db207d235ae7bdd73f81b049aeab63f3b859e39e7f0d45723d48021fd195186
-
C:\Users\Admin\AppData\Local\Temp\790ae7fb75235c796e49c039207532319cbc2f9f.exeFilesize
4.9MB
MD5669def7102a3c4d112e2265180feaf6a
SHA19538bde73d9655c1f1afaf7919e9706f13ca71e4
SHA25647732bcdc3423b0fd5d5e68db46c655c3b4fc6d0567ec1e8b15db949dec00547
SHA512e9e37071b548be64b0339c1237b8898f82c87e06438a15c4cad8d5293d2bbbe02ff4d43ac77efcfd4ba16a263b327370526cdb0c24b041dd30c38b70a3b10e42
-
C:\Users\Admin\AppData\Local\Temp\a201cf64-b314-4862-81a7-c4d94b2561d9.vbsFilesize
716B
MD5a5d5e61b3b76fbc51f9bcdfa99d77370
SHA10cbc29964e2407c0ca72e56817bd3d82c26564da
SHA2569aec8d278e6dc15684ebb50f0895647dcb2d1e37d39f0bc900c563cc9fb0377a
SHA512870f891832ecf818d16e351965ee4f3bafe8f9c1932f93d1c9be7d439897f29641fc02a3450da64851675acdb3572816a4259a38dbb316c028e7eb565657581b
-
C:\Users\Admin\AppData\Local\Temp\a9c06712-16a2-4c98-abb3-5004c6cac1e0.vbsFilesize
716B
MD5bfb9ee7cfd6c5501aa0a1debb7f0d4b5
SHA120a999ab70fca327eb2d52346a48bec3d3f8ee20
SHA2564140bf08b13d818ebd2902306567f5db48b9e76afaab4fc5d4ea3d4538eae07b
SHA5121d21a15d830c32c2435cd7353fc8f0ffb10ebadc9901648aa2113ca90fe48c4aa1c6051d1bb3255abed2a1958c5af6f72f9ee1cc357e38642ca26e15128c0327
-
C:\Users\Admin\AppData\Local\Temp\d06fe193-3437-4e5f-a59b-10dafbc6ec97.vbsFilesize
716B
MD52136c05fa70082b093bfb74fac6495c1
SHA1c27cc7a6609401856902c23212688f5f398891db
SHA256ea8b42c7a821684946f0ac07a593bf95a92c3b870da32e282f0ac4679787b673
SHA5121d04794aa894bd384eb6cc5cb8eab61b4e51a51b49461cac4b7e3f579e5c35f432b25d4b8cbf6f5fac51fff15334c80fa47ea93099c3689e001831732d18dc0f
-
C:\Users\Admin\AppData\Local\Temp\d6b8f87a-031d-4268-a8e4-a94f3acc319e.vbsFilesize
715B
MD51ad8269d062f20a86f654054ade18c25
SHA1ef2ee73611688d189ebee3ca68a8b9138b4cfed6
SHA2561554b41ae0cc7bb687c2ba6f8c69075ed6839a85a869f1cc0e3ab942c506a560
SHA512ab808eec68d2916ee015243765fd2909a5197175490a062868c42fcc5ebe44676967a087300e82d360add438507e44a0f212ae6c14f74e71562a052bb39b34b9
-
C:\Users\Admin\AppData\Local\Temp\d785f93f-cf76-41c2-b984-e63c0f68c7d1.vbsFilesize
492B
MD55e30d35364b468cc151ebc2eced653a9
SHA14e9161babdf10b3aeae4054ce5d2beef609aa908
SHA256010a23f77e4c4f4c9d397855305e0694b72f2fac07164236b1f5c85e62a790bf
SHA512982acaddb0f7f0ffd8f87d4c10e0cc6615c19c36e16eae76b27376cb252d16f2f31396f3c098a74267cd1df2bcd1259c65b738f9a1139af7def8c997d24112e0
-
C:\Users\Admin\AppData\Local\Temp\da1a187c-5614-40a9-8628-515965bda3c1.vbsFilesize
715B
MD511af3be3f9cca8697949c343bee98d27
SHA177f25db2d1d0193cc9feb484c00ab7b4c4cfb095
SHA256deb3ebc6f2a73a59838956335173eababe3bb0ef4c0ab5dfea945dd4f4368211
SHA512b43e3841e71c5e2c2d05f2ddddfb56fee858c908c8e0c83e75f9083359dcf9218265d3039240aa5127bb2e2c9d90232123bc96487a7729f23937607d8d56ffbc
-
C:\Users\Admin\AppData\Local\Temp\f8209b81-335f-4546-90aa-d65eb0047f04.vbsFilesize
716B
MD5140a1ff109ec24d8e27a7fc1af85c274
SHA1076798e831332986ccd80e8415d9d044dcfffc3f
SHA2565e8b1b49eb570c169abb4028a903eb8d0f21d19b5affeb41da9999e8c17498f8
SHA51292c1c9085697d8f2734c47ef55f72f4403811ac6d42453be6affcd04630864610eb1dd0730b519202c2912fe2010dee54ebccecc66737f128d89cced2719956b
-
C:\Users\Admin\AppData\Local\Temp\h26RurFrqG.batFilesize
205B
MD531ac2256d1249cbb4cb9ad8907fdaf2c
SHA1820fd0c55106123014a89d79f18247da1658dec1
SHA256647c840c09c5be66462a3014398922c69a7dff0317db1f11efecf92ffdcb7e8f
SHA512e6971dc5efaebbb30f71980c17233f338749f36fd7f7b39f547c4a9b5bf0fb53030a907ba051c010c304f1e25d526fa0557d3c05bef8563c053bb2b907dbf453
-
C:\Users\Admin\AppData\Local\Temp\tmp5245.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD52299c5a820165b408660a608787433cb
SHA1845b5e42e3007fdd5f21cab57bb3abd5dfd5df1d
SHA2565ffa998e0f17c3a00d015c35cb78052fcfd85714abcedae2ca58f04d1e279641
SHA5129a8377e981f3d0849534b34711dfc5d20e1a2ea8f07fcd9ea8ad4393d29cf28478194bcd8ab086d28fe1fc296a27a25be317ba625d4dac2c1ede7b6a907a175b
-
C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exeFilesize
4.9MB
MD5fa6a70b32304b41f2ca98115cae843f0
SHA115e0536c0b4be4fca7ee2a03a7e40a4075a18950
SHA256f19f7803a88945eb9370a47e0ac9c59a2f25d9a18c2af844298dbdfcc5177ddf
SHA5126226c2d25875e7b7fc930094ebfb6cbc67dfd4c52c0c3211adcf3a18c0ca5b9b6d5d68312dc44522fd8b36b777cd2cee0c201c24228e751d1e8e506491839279
-
memory/388-228-0x0000000001250000-0x0000000001744000-memory.dmpFilesize
5.0MB
-
memory/948-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmpFilesize
4KB
-
memory/948-15-0x0000000000650000-0x0000000000658000-memory.dmpFilesize
32KB
-
memory/948-16-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/948-97-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmpFilesize
4KB
-
memory/948-112-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/948-13-0x00000000003B0000-0x00000000003BE000-memory.dmpFilesize
56KB
-
memory/948-128-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/948-10-0x0000000000380000-0x0000000000392000-memory.dmpFilesize
72KB
-
memory/948-9-0x0000000000370000-0x000000000037A000-memory.dmpFilesize
40KB
-
memory/948-12-0x00000000003A0000-0x00000000003AE000-memory.dmpFilesize
56KB
-
memory/948-2-0x000000001B830000-0x000000001B95E000-memory.dmpFilesize
1.2MB
-
memory/948-11-0x0000000000390000-0x000000000039A000-memory.dmpFilesize
40KB
-
memory/948-1-0x0000000000BD0000-0x00000000010C4000-memory.dmpFilesize
5.0MB
-
memory/948-3-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/948-6-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/948-8-0x0000000000360000-0x0000000000370000-memory.dmpFilesize
64KB
-
memory/948-4-0x0000000000300000-0x000000000031C000-memory.dmpFilesize
112KB
-
memory/948-7-0x0000000000340000-0x0000000000356000-memory.dmpFilesize
88KB
-
memory/948-5-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/948-14-0x0000000000640000-0x0000000000648000-memory.dmpFilesize
32KB
-
memory/1684-287-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/1736-198-0x00000000012E0000-0x00000000017D4000-memory.dmpFilesize
5.0MB
-
memory/2344-257-0x0000000000580000-0x0000000000592000-memory.dmpFilesize
72KB
-
memory/2508-184-0x0000000000250000-0x0000000000744000-memory.dmpFilesize
5.0MB
-
memory/2816-272-0x0000000000700000-0x0000000000712000-memory.dmpFilesize
72KB
-
memory/2876-213-0x00000000002F0000-0x00000000007E4000-memory.dmpFilesize
5.0MB
-
memory/3036-150-0x00000000024F0000-0x00000000024F8000-memory.dmpFilesize
32KB
-
memory/3036-138-0x000000001B190000-0x000000001B472000-memory.dmpFilesize
2.9MB