Analysis

  • max time kernel
    37s
  • max time network
    41s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-11-2024 13:35

General

  • Target

    Enzo project.exe

  • Size

    2.2MB

  • MD5

    83539ba7c5103e90cf7230812873abb5

  • SHA1

    aa84fc6f29b943e714f7be00e4cc7af957484381

  • SHA256

    e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1

  • SHA512

    e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487

  • SSDEEP

    24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Enzo project.exe
    "C:\Users\Admin\AppData\Local\Temp\Enzo project.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4108
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwji3ezw\wwji3ezw.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:352
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE918.tmp" "c:\Windows\System32\CSC3C9830F240514D029B99F451C10348F.TMP"
              6⤵
                PID:1576
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:816
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4872
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3496
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4204
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\spoolsv.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Local Security Authority Process.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\SearchHost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4684
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:848
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WuJvDQTIso.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4004
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4040
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:5160
                  • C:\Users\Admin\Recent\spoolsv.exe
                    "C:\Users\Admin\Recent\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4620

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          2e8eb51096d6f6781456fef7df731d97

          SHA1

          ec2aaf851a618fb43c3d040a13a71997c25bda43

          SHA256

          96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

          SHA512

          0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          45f53352160cf0903c729c35c8edfdce

          SHA1

          b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

          SHA256

          9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

          SHA512

          e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          dc4dd6766dd68388d8733f1b729f87e9

          SHA1

          7b883d87afec5be3eff2088409cd1f57f877c756

          SHA256

          3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

          SHA512

          3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          2ab9885ed803576dfcb4df976a3e7ca0

          SHA1

          49a54d1bb797dca76c41f6af288f9df6c705cf56

          SHA256

          9a7f8ca5a6bfcd5839a1cd029a116378bec3be1baec9db19bbe4f127199fb322

          SHA512

          b1f90e17c21425cd94a7f00438386ae40c7414784a96694432e340e35ba6a60e1176a2871a732474db4bd7080ebdbf4c476b61efa49fedf8208b382252ae25ba

        • C:\Users\Admin\AppData\Local\Temp\RESE918.tmp

          Filesize

          1KB

          MD5

          5230ec071aac6e5ed8c0120ace0e78ed

          SHA1

          18b91791163bbf5051db1ee215141c4e61524150

          SHA256

          036398275a586dc2e7741c95e9e53a066b217aaa93a699e1c10ca70577f6936f

          SHA512

          2fef45f865835cb41ee25636c7c36720145d8af68af519e935e902422c8def6a37e516cb91e5366e27ba3f244e7e8b1dabfa6b0d56cd0785c1f5b6df6cab185d

        • C:\Users\Admin\AppData\Local\Temp\WuJvDQTIso.bat

          Filesize

          209B

          MD5

          42a5e9a735b973505dc297ca767a309b

          SHA1

          edfade69edf57b706802bb501ac038480687ce02

          SHA256

          c1c2025a41e2584dece6997badbc958c437828b623886829ad46ea27e273e10f

          SHA512

          bd6e6bdce8ec6fe8791279e1ac6e06bba6e852a27db52288ec0f2e2878e5ba5e0d60cf533f6a2165ceef7af733f25d99c3ef288f91e1c324054402c28e8402a1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gajxo0ta.upy.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe

          Filesize

          1.9MB

          MD5

          4ba31fe7c90af2148e83fe198cf99d7b

          SHA1

          bd86eece0e892752950a13282cb323e0775ecae4

          SHA256

          196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e

          SHA512

          79991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat

          Filesize

          93B

          MD5

          fb55729d3f331e20fb5c1e5377634743

          SHA1

          ad5d1b461d7608598e2683d66eeee3c2a38c625f

          SHA256

          8603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9

          SHA512

          2ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870

        • C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe

          Filesize

          245B

          MD5

          dde897c67a0ad3384e01f44658e986d0

          SHA1

          51e5a863d22d2305da3d6e82ed2da727a6db5ffa

          SHA256

          f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57

          SHA512

          901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892

        • \??\c:\Users\Admin\AppData\Local\Temp\wwji3ezw\wwji3ezw.0.cs

          Filesize

          365B

          MD5

          4ada0d13c435f631b778e9a184eff177

          SHA1

          49f853bff8379e4e11e057d7fe2b6e5b972c78d6

          SHA256

          db649b7edeff47ab70a17f7df16a8b3381f10301d1e1b882683eab1882892c05

          SHA512

          e7ea29898224a318690ae7814097f2fa9957fa133d41691b756bf8d53eef30fd4c84493adc6485dad15d55fa3fc5b0713cff5fb1b9e16f4361041fa21256f193

        • \??\c:\Users\Admin\AppData\Local\Temp\wwji3ezw\wwji3ezw.cmdline

          Filesize

          235B

          MD5

          f59b5f3e1fad8001428ab8a817a3a4b4

          SHA1

          c73a77ee2a7f1f5d6d2adc54520aa0aa3cf7f7a0

          SHA256

          3a2e0600cdd530eba74dd6d59fcae0d034758d4751e6e090b9cec3dd73db917c

          SHA512

          73ef6e857d7de67765f600c7021e2a20f302f01934365f6f855ddc08498739a230761e04e1b2d1f97d24b685dbc9d3c86a8ee7a76be984bcbb5ab7a318a613cf

        • \??\c:\Windows\System32\CSC3C9830F240514D029B99F451C10348F.TMP

          Filesize

          1KB

          MD5

          18cd3c457518e309b27cd1caa876f4da

          SHA1

          571463a0db7261c16f516b1e9a17f6aa934c8195

          SHA256

          24bdbb7671e171fb67e389cbb8357594d227ac851f3545b296c1d7b429f8ac4c

          SHA512

          1dcd29d3b8601a2d8ab094b635c5a1150cd2a6779725ca8c023df5f8e481eaa5da47c48b5f45a1cdc96c05f957a5076bb99d5277313d4d4d56fbb15ed9d8605e

        • memory/4108-17-0x000000001C000000-0x000000001C01C000-memory.dmp

          Filesize

          112KB

        • memory/4108-26-0x000000001BB90000-0x000000001BB9C000-memory.dmp

          Filesize

          48KB

        • memory/4108-55-0x000000001DD40000-0x000000001DEF3000-memory.dmp

          Filesize

          1.7MB

        • memory/4108-24-0x00000000031A0000-0x00000000031A8000-memory.dmp

          Filesize

          32KB

        • memory/4108-22-0x0000000003190000-0x000000000319E000-memory.dmp

          Filesize

          56KB

        • memory/4108-20-0x000000001C020000-0x000000001C038000-memory.dmp

          Filesize

          96KB

        • memory/4108-18-0x000000001C070000-0x000000001C0C0000-memory.dmp

          Filesize

          320KB

        • memory/4108-15-0x0000000003180000-0x000000000318E000-memory.dmp

          Filesize

          56KB

        • memory/4108-13-0x0000000000E50000-0x0000000001038000-memory.dmp

          Filesize

          1.9MB

        • memory/4108-12-0x00007FFF33403000-0x00007FFF33405000-memory.dmp

          Filesize

          8KB

        • memory/4872-64-0x000002677D6D0000-0x000002677D6F2000-memory.dmp

          Filesize

          136KB