Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 16:10

General

  • Target

    a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe

  • Size

    1.7MB

  • MD5

    9d62f5b5d9eca0a94ba46565918695f0

  • SHA1

    71bfc63978a703ba9f0b18dae7d2ca67018b7fe8

  • SHA256

    a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d

  • SHA512

    a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
    "C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Users\All Users\Documents\WmiPrvSE.exe
      "C:\Users\All Users\Documents\WmiPrvSE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01d0f64-bab7-447d-873d-7113f08c5dcf.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Users\All Users\Documents\WmiPrvSE.exe
          "C:\Users\All Users\Documents\WmiPrvSE.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:340
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98eaecb-a980-4b9f-af27-4df86f571112.vbs"
        3⤵
          PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Characters\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1528

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\services.exe

            Filesize

            1.7MB

            MD5

            ae358387b4f4f9c7e7700203d42a3ee8

            SHA1

            860b31853be2a4b62180384dd5e6ec94020fefb7

            SHA256

            5cab92463fed04f40fb3bf0c976145d1c2951c3e57fc4ad59460781c5c492a13

            SHA512

            af0ed003f88d31607229195bcdd57ec056eadc7895f1826162e47d37408350d6326171dfafea4abdec1ccef5d856913719f8494482e8aa59e1ee5e5e3fbe7f76

          • C:\Program Files (x86)\Windows Mail\en-US\services.exe

            Filesize

            1.7MB

            MD5

            5557a83b7eda286c7944d0c1999cfeab

            SHA1

            6675cb8c01b5782e6a0fc21813323298fabbce8f

            SHA256

            6d5c296c142be861346e9a6d9a5b0a3f153c44714bbaf0b4b264b5d2c3f1f367

            SHA512

            00e653c671fd2f6d26d677f4b8363153c7fcb8e60460cf4773f3027464f639b4b51ba3d9e690b23992c3fb64f3626055aa2427843d60e86be0a01471fadce43a

          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe

            Filesize

            1.7MB

            MD5

            d85af2a620fe30b910735cdfd2501ee0

            SHA1

            1fbafff90b68d32d71bb5a9bfa760a982b47d250

            SHA256

            a86bc570ba243a7f0785142d3a58677d73bade6ed9d06feb0e98b67a595c8665

            SHA512

            d1ac35bbfa43ec8132a3f52e0c248c1c0ba948d8c06759fa3298273d2d8d557d3ab30f39b3c2c6dc50e03d45451898bfd72d16c05b10bb67c637f3d0df0eba07

          • C:\Users\Admin\AppData\Local\Temp\d98eaecb-a980-4b9f-af27-4df86f571112.vbs

            Filesize

            493B

            MD5

            f3ffc0d3aebc5d36bca2013d93c5f069

            SHA1

            795094405ca6fbd80b9fe1fd5154ffff501b5e4a

            SHA256

            547ee910d434f5935878eacc798c6d1d471c3eb6c625ba4a0bbed41d25e37301

            SHA512

            e04d2dcc10e5a6f4b5b5e5a6137a3b54814660bb3412cba662ffb8018e2291546b62caa53105ddb456d1502aaa2cd8733d00b1dcc704a75e60f7035d36686644

          • C:\Users\Admin\AppData\Local\Temp\e01d0f64-bab7-447d-873d-7113f08c5dcf.vbs

            Filesize

            716B

            MD5

            3f0fd9891fc01792318611f6f093bed4

            SHA1

            544316e9a26b36a469cc37dd152e0d0ff5726bce

            SHA256

            52ff85791d96f4050414ee603cc42d6ee2b2281a9f60bd64f03903adad90b322

            SHA512

            93edc76c9d0f50962d919c4f0aabd87e5cc526fa57ef03b717649e473894510a862736c1a5ec449cec21572c320c910e3671b378723b0b57009f92ba18235a88

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            f0e0a1ca5c4f0804c620da074ebbb9ce

            SHA1

            c732a94c2d8edc30bfaf8361aa633e86cc206d54

            SHA256

            75e3501a9ce580cabbfb32e9d8f1e2f5ac599f715f95b7877b6e615c3d353e70

            SHA512

            3a42c85528aefd291077539f99d802dcbd656e3eec347ccadb3b8935d94173bf278ec2143b79de679018b771487a14fd2423619fc107e84e43b913821a8d1251

          • C:\Users\Public\Documents\WmiPrvSE.exe

            Filesize

            1.7MB

            MD5

            f857a1d3e5da65672f958cc8379772f3

            SHA1

            372cad0f26e6241540d00a832b204076f28b04f4

            SHA256

            6a10259556dceb0f03b4cbe37a25da3f379add7f615b9732ea745e6f1e0f3cd6

            SHA512

            8eb5b0e662db10d117744502a3a01e03d9a15ed4302003d78f6edda766ddd1721209281e08939166c25141b1b5832b39afffd5c04b46b35c6be243c0673e0c90

          • C:\Windows\Media\Characters\smss.exe

            Filesize

            1.7MB

            MD5

            9d62f5b5d9eca0a94ba46565918695f0

            SHA1

            71bfc63978a703ba9f0b18dae7d2ca67018b7fe8

            SHA256

            a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d

            SHA512

            a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199

          • C:\Windows\it-IT\WmiPrvSE.exe

            Filesize

            1.7MB

            MD5

            de0fa3d8acba2adfe721c1a72f67ecd1

            SHA1

            f81750696efa5aed193a02835255a6021e573a9b

            SHA256

            787bac419c9d576116b2577a1f649119df41b719bdde5b9f241f3d15e1091aa3

            SHA512

            2cfa57d2ed8fa04c6040a3617dcd8ca76a039e4e07930fefc14eb974e799db29f8220a31213e02dc996f2e8ba6110a0e9819c7578e2102eedc93e5c004afb24c

          • memory/604-288-0x0000000000BF0000-0x0000000000C02000-memory.dmp

            Filesize

            72KB

          • memory/604-236-0x0000000000F30000-0x00000000010E6000-memory.dmp

            Filesize

            1.7MB

          • memory/1964-226-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

            Filesize

            2.9MB

          • memory/1964-230-0x0000000001F40000-0x0000000001F48000-memory.dmp

            Filesize

            32KB

          • memory/3052-8-0x0000000000620000-0x0000000000630000-memory.dmp

            Filesize

            64KB

          • memory/3052-215-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

            Filesize

            9.9MB

          • memory/3052-17-0x0000000000680000-0x000000000068C000-memory.dmp

            Filesize

            48KB

          • memory/3052-20-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

            Filesize

            9.9MB

          • memory/3052-16-0x0000000000670000-0x000000000067C000-memory.dmp

            Filesize

            48KB

          • memory/3052-14-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

          • memory/3052-13-0x0000000000640000-0x000000000064C000-memory.dmp

            Filesize

            48KB

          • memory/3052-12-0x0000000000630000-0x000000000063C000-memory.dmp

            Filesize

            48KB

          • memory/3052-10-0x0000000000610000-0x0000000000618000-memory.dmp

            Filesize

            32KB

          • memory/3052-191-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

            Filesize

            4KB

          • memory/3052-9-0x0000000000600000-0x000000000060C000-memory.dmp

            Filesize

            48KB

          • memory/3052-15-0x0000000000660000-0x0000000000668000-memory.dmp

            Filesize

            32KB

          • memory/3052-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

            Filesize

            4KB

          • memory/3052-7-0x0000000000450000-0x0000000000462000-memory.dmp

            Filesize

            72KB

          • memory/3052-231-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

            Filesize

            9.9MB

          • memory/3052-6-0x00000000005E0000-0x00000000005F6000-memory.dmp

            Filesize

            88KB

          • memory/3052-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

            Filesize

            64KB

          • memory/3052-4-0x0000000000140000-0x0000000000148000-memory.dmp

            Filesize

            32KB

          • memory/3052-3-0x00000000003F0000-0x000000000040C000-memory.dmp

            Filesize

            112KB

          • memory/3052-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

            Filesize

            9.9MB

          • memory/3052-1-0x0000000000BF0000-0x0000000000DA6000-memory.dmp

            Filesize

            1.7MB