Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 03:15

General

  • Target

    c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe

  • Size

    4.9MB

  • MD5

    0ebad9b503420a52d8624a119e9b0390

  • SHA1

    1f7ac06f73e31f55a13177d4d6e0992e9086c87a

  • SHA256

    c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d

  • SHA512

    ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 27 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe
    "C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d0cSnkaL9P.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2092
        • C:\Users\Admin\AppData\lsm.exe
          "C:\Users\Admin\AppData\lsm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2328
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd314fa-e8d5-4afa-9ede-191df6fdcf09.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Users\Admin\AppData\lsm.exe
              C:\Users\Admin\AppData\lsm.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2552
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d682307a-1b24-4170-b448-e2b5498e5666.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1804
                • C:\Users\Admin\AppData\lsm.exe
                  C:\Users\Admin\AppData\lsm.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:616
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbc88dea-0fea-499a-93c8-3dc16d3ad5b3.vbs"
                    8⤵
                      PID:2052
                      • C:\Users\Admin\AppData\lsm.exe
                        C:\Users\Admin\AppData\lsm.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1712
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e19baf-127c-4e07-a076-c1534dfc3e03.vbs"
                          10⤵
                            PID:2588
                            • C:\Users\Admin\AppData\lsm.exe
                              C:\Users\Admin\AppData\lsm.exe
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1744
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252b82f0-3c91-4284-8bdc-f7390fb709be.vbs"
                                12⤵
                                  PID:1432
                                  • C:\Users\Admin\AppData\lsm.exe
                                    C:\Users\Admin\AppData\lsm.exe
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1848
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fce2b944-67ac-47bd-b48d-f093860c096c.vbs"
                                      14⤵
                                        PID:1268
                                        • C:\Users\Admin\AppData\lsm.exe
                                          C:\Users\Admin\AppData\lsm.exe
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1784
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fce7411-754a-4611-8402-fe33b419e5ac.vbs"
                                            16⤵
                                              PID:988
                                              • C:\Users\Admin\AppData\lsm.exe
                                                C:\Users\Admin\AppData\lsm.exe
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:600
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca45089f-48ee-4045-82f6-004d39f50973.vbs"
                                                  18⤵
                                                    PID:1632
                                                    • C:\Users\Admin\AppData\lsm.exe
                                                      C:\Users\Admin\AppData\lsm.exe
                                                      19⤵
                                                        PID:2300
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867d64b2-ace0-4de8-ab41-b97e520b76f9.vbs"
                                                      18⤵
                                                        PID:1756
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\312c7d37-c1a5-4f66-a2be-2ddbeb578714.vbs"
                                                    16⤵
                                                      PID:1408
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89bbf95-aac5-4cf5-b833-9300a4359859.vbs"
                                                  14⤵
                                                    PID:2476
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\573fe1c5-b9cd-428d-9a8b-5982af627f2e.vbs"
                                                12⤵
                                                  PID:2688
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f2834b-eee2-4e7d-9898-779e3b199b68.vbs"
                                              10⤵
                                                PID:1068
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601a7f10-b8a1-4fdd-aa8b-e53e9dcb8440.vbs"
                                            8⤵
                                              PID:2816
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ae61de-3c7e-412d-a584-ea6d5a6b23b2.vbs"
                                          6⤵
                                            PID:2796
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc47e8b9-b381-4106-9f7e-2731e0e8355d.vbs"
                                        4⤵
                                          PID:2012
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dNc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2144
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2736
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dNc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2792
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2932
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2928
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2836
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2616
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2804
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2632
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2600
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2660
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3020
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1796
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1860
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1908
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1700
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1484
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3036
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2000
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2328
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2068

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\MSOCache\All Users\spoolsv.exe

                                    Filesize

                                    4.9MB

                                    MD5

                                    0ebad9b503420a52d8624a119e9b0390

                                    SHA1

                                    1f7ac06f73e31f55a13177d4d6e0992e9086c87a

                                    SHA256

                                    c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d

                                    SHA512

                                    ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40

                                  • C:\Program Files\VideoLAN\VLC\taskhost.exe

                                    Filesize

                                    4.9MB

                                    MD5

                                    54878a3d7bfd2137a80356eecf97a0b7

                                    SHA1

                                    6ba0fface64e0d2dbe338a9bd2ba9ad3edebbcf9

                                    SHA256

                                    8f9794b29859c41dda6abf871abdc308fbe34e5492070a1ab9cd6e1ab0feadf1

                                    SHA512

                                    b4e494e28998d233059b4992ac81bc34be7f1b5a7b9bd79ff989faa29782f5f9ebe9cf1e9ca12cd694890b305b13c88ae13dbbe3da36cb5cbbd1b6ec67e1954d

                                  • C:\Users\Admin\AppData\Local\Temp\0bd314fa-e8d5-4afa-9ede-191df6fdcf09.vbs

                                    Filesize

                                    706B

                                    MD5

                                    94f24c4f76e574cb76aa546ffcd3d9b7

                                    SHA1

                                    fc5d2c70a76230fea20a00878fdace30ee3b59bf

                                    SHA256

                                    aab888c316ebcc1afad58409b849651c56690669759ffdab9267db22dc587dca

                                    SHA512

                                    9d6e16269437bbc419da67e1200152aa9a69697cf1f64b32c0a85744cc12f4c7217bc0c4a45b929b81349af630bb82be48fa2cafc9cccb06c40f30b2924746af

                                  • C:\Users\Admin\AppData\Local\Temp\10770bd47368861c1bd3fed1700d203ad75762c4.exe

                                    Filesize

                                    4.9MB

                                    MD5

                                    2bdf88f95eefab58442e317326670113

                                    SHA1

                                    2450f81b62f48cdcbfe58f811572828bfed3eb2a

                                    SHA256

                                    a9d1412122518f5f5d592e9814592420d400674cee43fd487d8dc6cb5ef2f208

                                    SHA512

                                    52ba1e85a362fa19c987c8d76810cd01627808473259a25aa1f4f5ed70c3b75acff6ed5950ec4cf7b8056ab8528518be5eff5f3c974fb8696bddd3f9a00ad71d

                                  • C:\Users\Admin\AppData\Local\Temp\252b82f0-3c91-4284-8bdc-f7390fb709be.vbs

                                    Filesize

                                    706B

                                    MD5

                                    fcf4617094e46f29e9de498b931fe0b3

                                    SHA1

                                    2113a2b64572c74ae0e825e3cccdf4c529b04bde

                                    SHA256

                                    0a3e5b5633e3effb64d0aa300e5473d3791a975f01590e29d535b42334a91fe8

                                    SHA512

                                    d02fe77f1d9492a5571bc9b399068ce32e88492d55ed4d0515a7eb3c88ba425f71e56195121c5e2d7d72880f32f3138e94ad9121d68a47cf5d05655928ca396e

                                  • C:\Users\Admin\AppData\Local\Temp\5fce7411-754a-4611-8402-fe33b419e5ac.vbs

                                    Filesize

                                    706B

                                    MD5

                                    6451a36b580f6aa6eec166de2bec6a12

                                    SHA1

                                    ab3abe3db434c87cf197ce97fb0ad0f30a5daebb

                                    SHA256

                                    db9db0139c43e085326bce3e5c158fbcb6a1c74e4beed2c1ab8f80b632b43ceb

                                    SHA512

                                    789bc5036e94f7c49d86d7e507f1188d0bfdc49099c02b73a3cf29973bedb0a256eda44d809ab24c8cda0cbe9282d21838ac6d7a8cf00debbe4e154bf9027342

                                  • C:\Users\Admin\AppData\Local\Temp\a8e19baf-127c-4e07-a076-c1534dfc3e03.vbs

                                    Filesize

                                    706B

                                    MD5

                                    a8e233c30faa1ef86edf5c91ff1ea495

                                    SHA1

                                    dc552eb7554f52dfbc419f969a9fe641b4abb4cd

                                    SHA256

                                    05a823d082ef23fdc6dd44f3b60647a3691230e6df1e006ca5d86129456de0a5

                                    SHA512

                                    d2c4bf5a5d5edaa3850d3530c296cd347bbf87eead94056404ac2c994835a2b7257ea4324ac0bbfcf59e61a578e354873ee28e15d39c289b1ca742c920d6a7ad

                                  • C:\Users\Admin\AppData\Local\Temp\ca45089f-48ee-4045-82f6-004d39f50973.vbs

                                    Filesize

                                    705B

                                    MD5

                                    67b61432551e444adaab8ffd50b0549a

                                    SHA1

                                    1217ffb412dcd15b4aa182beace3546f806905bc

                                    SHA256

                                    3ecaf05345ce6ea2747044835d1587038c4af0d4a771c32911bc3fa1ef20bbdb

                                    SHA512

                                    db58bac1f91ff180d5235d05508cc1b9f62dd03c9ddf5114a368406621ed3a28be3201f5bec81d99fa2e567cb29588128a8142256b569895c52b4a2297e02f85

                                  • C:\Users\Admin\AppData\Local\Temp\cbc88dea-0fea-499a-93c8-3dc16d3ad5b3.vbs

                                    Filesize

                                    705B

                                    MD5

                                    bb39e8fb209a4ee364fef3befafaea65

                                    SHA1

                                    989c4076f9000155ee2c3e9fe9b3e6fe64547113

                                    SHA256

                                    16865887df22eee9baaeb095c213085334e30ce2ab3bc82d14102c5ba224f705

                                    SHA512

                                    09833855f6cc7faac0c30c2d25f7e9bccde57b8d69ed831777ecb0d021bc245af5af09132b6a63dfccd01d3c51c25bbb1d3c489f604ef62918aa2a91bd56bfe3

                                  • C:\Users\Admin\AppData\Local\Temp\d0cSnkaL9P.bat

                                    Filesize

                                    195B

                                    MD5

                                    2ee0b82af32c882b37016360ebea84f3

                                    SHA1

                                    e937a85a407939aca29a262f10d50196405d722e

                                    SHA256

                                    ec8211986cf144fbec742eff78883ec82ed6c56e72773c2a8356b813744c2fa1

                                    SHA512

                                    e7a6425b3e6a61e4889ee4c699307f05cf558d3fb46def38cd051aabfc8316c14510e1891cb2a076b403fa5214e3ef17f3288c1c0ce3d560eeae3922128ae7cd

                                  • C:\Users\Admin\AppData\Local\Temp\d682307a-1b24-4170-b448-e2b5498e5666.vbs

                                    Filesize

                                    706B

                                    MD5

                                    49ec24f45294dd7a46f08e9ef95bf5b4

                                    SHA1

                                    50f92070732cda90ff26eb95db0e329a5e1a250a

                                    SHA256

                                    5995d80e9a9998f1f34ed3196898988b6b6c893b9c13badcf7b89789ff5e2907

                                    SHA512

                                    cea0b778511461e909bb36f68bea1aaf4851b4690960057ccf379c26ddd538e7c73f35c4f26950c926a4c8ad00ffcbecd20e159211c4d259090e28e26683abd1

                                  • C:\Users\Admin\AppData\Local\Temp\dc47e8b9-b381-4106-9f7e-2731e0e8355d.vbs

                                    Filesize

                                    482B

                                    MD5

                                    bd1d5c0a1c1d467527debde66ee66954

                                    SHA1

                                    62aa846f877d789933cd92fa325ff77efbd7acec

                                    SHA256

                                    c50aa21fb1577b16005f73a5037936608139ae5201f79124afcb128818690276

                                    SHA512

                                    2257962196a9172ed9e3fbb98618b8089aa03d9ec1f29169a777b61aab3cd5fc18b09a934fde10da4f9bacd55890086aac45cb88b0bf9e80cf0e191f8cf9e4bd

                                  • C:\Users\Admin\AppData\Local\Temp\fce2b944-67ac-47bd-b48d-f093860c096c.vbs

                                    Filesize

                                    706B

                                    MD5

                                    3a7c9567bb18bb72e20bfbb8db547e23

                                    SHA1

                                    83f7ab8edeabb271543bec2891400a338a0a43bb

                                    SHA256

                                    b8e0f03640c7fe2d40f10c333cafd52df247085d13b06c79072238162dae524f

                                    SHA512

                                    4ef21d35f1e2e8a733147f99e54c68f408309f9f6e8921fa607f3d0f8d4c069328a5046f494505e3fc5061405dc1405eeddb82487026d96da976430bb3ba37f7

                                  • C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp.exe

                                    Filesize

                                    75KB

                                    MD5

                                    e0a68b98992c1699876f818a22b5b907

                                    SHA1

                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                    SHA256

                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                    SHA512

                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    234bfeb70f069c629d4212162a7fb4fb

                                    SHA1

                                    5ebfb54c9371572bc83cbf21cc62dfaef434e5cf

                                    SHA256

                                    324723e3fd6dcc6ad60be7afb7c6eee4f680bec1b60bad9cdc8eca259ad2c43a

                                    SHA512

                                    bf0deb4188c002d97704403c7a0a682c2c95caaa1ca9db7c65d799683a935d7a42222d434d1392bedc20577dc1958fb5bfb05bead93feed1509f161fd0b1676c

                                  • C:\Users\Admin\AppData\lsm.exe

                                    Filesize

                                    2.5MB

                                    MD5

                                    3aac6a60031244e9e7e2a345509d314f

                                    SHA1

                                    817ba19993ca5ca24162f31c5032423e1e39610a

                                    SHA256

                                    0d8bf4f14e5b12437e59d7c3d3973ea4b56abbabf380c8a3380eee5d41288c92

                                    SHA512

                                    53107cdd0a375d67bf8283a5e62a7184bf4d57a43e701b4c6ba164a5fd69d2d9a2532c73b916f255aabbb54f4bc6055996e52c82eb85ba5f2c669b884113fc34

                                  • memory/600-256-0x0000000000390000-0x0000000000884000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/616-180-0x00000000002E0000-0x00000000007D4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/616-181-0x0000000002540000-0x0000000002552000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1712-196-0x0000000001130000-0x0000000001624000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/1744-211-0x0000000000C50000-0x0000000000C62000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1784-241-0x00000000003A0000-0x0000000000894000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/1848-226-0x0000000001300000-0x00000000017F4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2076-13-0x0000000002590000-0x000000000259E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2076-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2076-1-0x0000000000B60000-0x0000000001054000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2076-2-0x000000001B910000-0x000000001BA3E000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2076-3-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2076-90-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2076-4-0x0000000000530000-0x000000000054C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/2076-5-0x00000000009F0000-0x00000000009F8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2076-11-0x0000000002570000-0x000000000257A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2076-14-0x00000000025A0000-0x00000000025A8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2076-15-0x00000000026A0000-0x00000000026A8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2076-16-0x00000000026B0000-0x00000000026BC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2076-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2076-12-0x0000000002580000-0x000000000258E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2076-10-0x0000000000B50000-0x0000000000B62000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2076-9-0x0000000000B40000-0x0000000000B4A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2076-8-0x0000000000B30000-0x0000000000B40000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2076-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/2084-98-0x000000001B500000-0x000000001B7E2000-memory.dmp

                                    Filesize

                                    2.9MB

                                  • memory/2084-99-0x0000000001E60000-0x0000000001E68000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2300-271-0x0000000000850000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2300-272-0x0000000000630000-0x0000000000642000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2328-149-0x0000000000200000-0x00000000006F4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2328-150-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2552-165-0x00000000025B0000-0x00000000025C2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2552-164-0x0000000000270000-0x0000000000764000-memory.dmp

                                    Filesize

                                    5.0MB