Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:37

General

  • Target

    b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe

  • Size

    2.8MB

  • MD5

    1d7d311dcf59159f75a359a7da19226c

  • SHA1

    6c4b66600d421112b33372f85168bba68c6fac38

  • SHA256

    b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd

  • SHA512

    a7bd62f683a7e50c31654136faf1eec8a51fdcf965541a21df0e5165315d6aafe899c30abd4c5d3eeb1970b41128e62ff63a3866a87d227dbc549d597d5953bd

  • SSDEEP

    49152:kr8U+ST8nT/r5mZxSuCspYhU7F6511YoWN/qiUt9ETxJ5WGAf2VR:FSi/rwZYuCspQUA5vNWNqGfAGAA

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe
    "C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1340
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1616
        • C:\Program Files (x86)\Windows Defender\de-DE\System.exe
          "C:\Program Files (x86)\Windows Defender\de-DE\System.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Recent\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efdb" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd" /sc ONLOGON /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efdb" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1788

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Temp\Registry.exe

            Filesize

            2.8MB

            MD5

            d285137648e1868dd27ada1a95943439

            SHA1

            9e663ca7319949f161ae9098044be75b0cf46aeb

            SHA256

            f58e475acc1dc5d0723334c8a43bc67df529e57ec57793d35ec3f84ebe7cf0da

            SHA512

            3d7f2898acd9ffe8e7f2ff60124187c62cc5c05e645337ffd2c4db7167f948782dfb0a77280bbc4b12843efeac5b3f11ae5ff32c059c6d15c08dba74d502a6db

          • C:\Program Files\Microsoft Office\Office16\SearchApp.exe

            Filesize

            2.8MB

            MD5

            bfb0e24b2550e2a3a349bc6d3a2db938

            SHA1

            8f158df9be412e6900143c82531634aa62ddb538

            SHA256

            64382c74c6235456bd2cdeffae70b5f74124070bc4b20df5283a07ff2c87bb8e

            SHA512

            72e01cd9a186e868e17fc25f566ebb6fbf74ace021f9a45f264921d6bc0463abd938b4e30c5e4b83c9e1022fc441ca40be03f06dad40eead7dee35d74a261be6

          • C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe

            Filesize

            2.8MB

            MD5

            1c44ccd3d708b7aefecb3e498bce55bf

            SHA1

            655420619a0b39df9629de40490d600f4ae9cb7f

            SHA256

            c082540e1eda85f47a2443a0717efcc1ccf5267bc71ede3eda3a30533d8a95e1

            SHA512

            5ba7c6c0c41fa782ee3f7d7b57abc55dd28b088c571b89078b1ad5c68bf0c59f80d71ded0c7dd54b3b3249b123f2a23084b292d0cdcc32489c0966eb5fca4038

          • C:\Recovery\WindowsRE\SppExtComObj.exe

            Filesize

            2.8MB

            MD5

            8aae8aa6f3e015a7ebf032f584d0bfc3

            SHA1

            858c005e5032987c113ad7ee749167bebdc65dc1

            SHA256

            1436a83e958774aae459deb4a1a27f77853223dbd04f08b17580622851de3034

            SHA512

            ba0a5352df8d3c14337b3acd993fa8ec449764e6608ff7837393361a80a4b72131abd055260933a64607378c55849df407a5623ba857491417a0e51cf5d3c97b

          • C:\Recovery\WindowsRE\unsecapp.exe

            Filesize

            2.8MB

            MD5

            1d7d311dcf59159f75a359a7da19226c

            SHA1

            6c4b66600d421112b33372f85168bba68c6fac38

            SHA256

            b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd

            SHA512

            a7bd62f683a7e50c31654136faf1eec8a51fdcf965541a21df0e5165315d6aafe899c30abd4c5d3eeb1970b41128e62ff63a3866a87d227dbc549d597d5953bd

          • C:\Recovery\WindowsRE\unsecapp.exe

            Filesize

            2.8MB

            MD5

            5fbf26f52cd2eaac85cfc3e339509020

            SHA1

            b50773f2a2df87d2269973de08caa35f00ce16e6

            SHA256

            dcc82314995e074943ddae1fb6f46e05f38d1d0a85567122123c74d443c7ab0b

            SHA512

            f512a17bb3aa58cc4b64cd9df0a626373c63762442b447a7fc4129998e1a92fb91085fc565ad3b99bc9475825b575738482e9c3575cc9604dc557cfbccc39590

          • C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat

            Filesize

            221B

            MD5

            f64474af7af16925dbc73fc136722ca7

            SHA1

            d1e6f6fdaf3d72ff4d89a3b73fb889c4bfe321ba

            SHA256

            2e36e11d8624065fa57a9b319c02acf39bb93b44a4f0b2f522dff2a62dc447c8

            SHA512

            30073efc97e0e10513f7fb1800f2febe4dc91e31b03d5640c288d48db487832e765015d33d751313e71463c5eacab8c1757d0756d5c05ac45cd1aeb5ce0c095c

          • C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe

            Filesize

            2.8MB

            MD5

            dd14a399c38ac4f643d53510540eaf84

            SHA1

            fd7ce90b55463ea726a8d959316dc3fc1aa5fd67

            SHA256

            eec73eb05fee0ec132789a322569f52b8ee91334b5b315fb8c74c65c048d4f45

            SHA512

            9ba2b71ef057931efd1fd5c8e6e9fbb85d1f0791fc57046f06013a0b0e797a4a33f5ab7483057821d232cc45abfbaf02903e04440e51a77ec3ab3ed31d8a29d1

          • memory/1340-9-0x00000000035D0000-0x00000000035D8000-memory.dmp

            Filesize

            32KB

          • memory/1340-21-0x000000001C820000-0x000000001C82C000-memory.dmp

            Filesize

            48KB

          • memory/1340-10-0x00000000035F0000-0x00000000035FA000-memory.dmp

            Filesize

            40KB

          • memory/1340-11-0x000000001C5B0000-0x000000001C606000-memory.dmp

            Filesize

            344KB

          • memory/1340-12-0x00000000035E0000-0x00000000035E8000-memory.dmp

            Filesize

            32KB

          • memory/1340-13-0x000000001BED0000-0x000000001BEE2000-memory.dmp

            Filesize

            72KB

          • memory/1340-14-0x000000001CB30000-0x000000001D058000-memory.dmp

            Filesize

            5.2MB

          • memory/1340-16-0x000000001BF20000-0x000000001BF2C000-memory.dmp

            Filesize

            48KB

          • memory/1340-15-0x000000001BF00000-0x000000001BF08000-memory.dmp

            Filesize

            32KB

          • memory/1340-17-0x000000001BF30000-0x000000001BF38000-memory.dmp

            Filesize

            32KB

          • memory/1340-20-0x000000001C810000-0x000000001C81E000-memory.dmp

            Filesize

            56KB

          • memory/1340-18-0x000000001BF40000-0x000000001BF4C000-memory.dmp

            Filesize

            48KB

          • memory/1340-22-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1340-24-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1340-23-0x000000001C830000-0x000000001C83C000-memory.dmp

            Filesize

            48KB

          • memory/1340-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

            Filesize

            8KB

          • memory/1340-19-0x000000001C800000-0x000000001C80E000-memory.dmp

            Filesize

            56KB

          • memory/1340-8-0x00000000035B0000-0x00000000035C6000-memory.dmp

            Filesize

            88KB

          • memory/1340-6-0x0000000003590000-0x0000000003598000-memory.dmp

            Filesize

            32KB

          • memory/1340-7-0x00000000035A0000-0x00000000035B0000-memory.dmp

            Filesize

            64KB

          • memory/1340-155-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

            Filesize

            8KB

          • memory/1340-167-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1340-5-0x000000001C560000-0x000000001C5B0000-memory.dmp

            Filesize

            320KB

          • memory/1340-4-0x0000000003570000-0x000000000358C000-memory.dmp

            Filesize

            112KB

          • memory/1340-213-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1340-3-0x0000000001B00000-0x0000000001B0E000-memory.dmp

            Filesize

            56KB

          • memory/1340-2-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1340-1-0x0000000000F80000-0x000000000124A000-memory.dmp

            Filesize

            2.8MB

          • memory/1340-267-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3892-271-0x00000000033D0000-0x00000000033E2000-memory.dmp

            Filesize

            72KB