Overview

overview

10

Static

static

3

1d6590415f...de.exe

windows7-x64

10

1d6590415f...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d6590415fa189e9c982e883dc3bcdde.exe

  • Size

    3.3MB

  • MD5

    1d6590415fa189e9c982e883dc3bcdde

  • SHA1

    8261a5718af6eb9ebee4e822e5bd0138f7915dc3

  • SHA256

    7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649

  • SHA512

    304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e

  • SSDEEP

    98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Score
10/10
dcratumbralevasioninfostealerratstealertrojan

Malware Config

Signatures

  • DcRat 35 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d6590415fa189e9c982e883dc3bcdde.exe
    "C:\Users\Admin\AppData\Local\Temp\1d6590415fa189e9c982e883dc3bcdde.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4980
    • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
      "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Chainnet\hyperInto.exe
            "C:\Chainnet\hyperInto.exe"
            5⤵
            • DcRat
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4876
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\35gbisF1f8.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4640
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2356
                • C:\Chainnet\RuntimeBroker.exe
                  "C:\Chainnet\RuntimeBroker.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:556
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e37d544-eb03-41bb-9204-9f5058e45c37.vbs"
                    8⤵
                      PID:5080
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50fa1efc-28ec-42da-ae77-36f8a08a1342.vbs"
                      8⤵
                        PID:2428
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"
              3⤵
                PID:2352
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3224
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3268
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\odt\TrustedInstaller.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3592
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Chainnet\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Chainnet\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Chainnet\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Chainnet\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\TrustedInstaller.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\Registration\TrustedInstaller.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\TrustedInstaller.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Chainnet\explorer.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Chainnet\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Chainnet\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2980
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4112
          • C:\Windows\system32\wbem\WmiApSrv.exe
            C:\Windows\system32\wbem\WmiApSrv.exe
            1⤵
              PID:4564

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Chainnet\8f9Z3.vbe
              Filesize

              206B

              MD5

              b3080903ab3740f3f1346f2f61834c2b

              SHA1

              a5b37c9ea7a58c9194de44382d75dc4863d3d5b7

              SHA256

              505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1

              SHA512

              a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419

              Download Submit

            • C:\Chainnet\RuntimeBroker.exe
              Filesize

              704KB

              MD5

              40c603885f6d7d5cb0508c84436feda9

              SHA1

              b1fab7b715b6f09e851d38fccfd8d8bd2c13b28a

              SHA256

              087ba66edfc5e58a3b073d9a98b07020424fb291b19659e96a624bd41be82dcc

              SHA512

              0f223b7b9d69a41184f3b10c9f1c996c414e4b1d171ebaa3f7c8244cc3fcd02e8f5d8b5c0a9c06c6b68b9e20a10b80c4601ad5bd0955ff4ff74b1ea6b6b086cc

              Download Submit

            • C:\Chainnet\RuntimeBroker.exe
              Filesize

              64KB

              MD5

              e20aaa15f7df9906c624899eb6f380c5

              SHA1

              e8cd8ff0d3bbfd526492085aaf7293d812895fc3

              SHA256

              99d3cad1a43ed63f00dfd048c10aba4f4adc1f6ff00fdc6e83e4e5a2f36face9

              SHA512

              58ec1cb4ca05859a1071c0c024b0827f5ed04562b06ca5c97354a09a8e03704d30202bc1cc235d6ca45824d7f20c09abb94ad48a7f1b1eda5fdbaef93cacbec5

              Download Submit

            • C:\Chainnet\file.vbs
              Filesize

              34B

              MD5

              677cc4360477c72cb0ce00406a949c61

              SHA1

              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

              SHA256

              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

              SHA512

              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

              Download Submit

            • C:\Chainnet\hyperInto.exe
              Filesize

              3.4MB

              MD5

              d63861446161da73423a6378ab06af5e

              SHA1

              8d3116fa2ac5d4e7fb9684498f69edf3e976f977

              SHA256

              c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd

              SHA512

              7bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88

              Download Submit

            • C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat
              Filesize

              27B

              MD5

              94db4d897ca54289c945a06574084128

              SHA1

              d4168950c994dacea1402a9570a4735350b86c10

              SHA256

              a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461

              SHA512

              2548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              2e907f77659a6601fcc408274894da2e

              SHA1

              9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

              SHA256

              385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

              SHA512

              34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\35gbisF1f8.bat
              Filesize

              194B

              MD5

              e22af88f06bfaf8ab6792406dbd00a46

              SHA1

              baf5def1fa803e7169a8a2d017b80bfe13345f50

              SHA256

              0c425fa9ede709397af35efbf3f22ee3ea28994b1e330b69e933c0edd9f8e731

              SHA512

              08c6ef6e6298bf3ca477d15c8529828ee738a326cb876a47d856e3479662096d93121a223f9ae696da97ae3817c630ea405f24caea3ddcba2b5167d9182fbdb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\50fa1efc-28ec-42da-ae77-36f8a08a1342.vbs
              Filesize

              481B

              MD5

              2729c97d3a35e9b5a00e55148b2b0a7e

              SHA1

              096d8022b852ac1678919993e54fda3b4634703f

              SHA256

              9bf1499754948f1921e65ca3d967407e6093c143db7d5cdf2ba8714d64f47828

              SHA512

              31325710773b9589e0f6f5e43041e3387000586c0b181a4efa258b0dcad0203316dd10b3af9e657ebad3995ed8cc5ae5d9be2398e21d31245cd09b55e95dc438

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7e37d544-eb03-41bb-9204-9f5058e45c37.vbs
              Filesize

              704B

              MD5

              f6285f4b987917037e49d4a05e41b6aa

              SHA1

              47df750fe66768247e184cdbc9fcd644bfbd3821

              SHA256

              cd1be04e6e858c4ae5da709f48f20b062c22dfb64e09334f2ac247b22c230847

              SHA512

              ff7f8334e1a3b378d33172701cafecd9402890be9e27eae0b5287953ac7901956d631546af4f4aac8d40e270cb2da5d01c31e76e2ecca7c3f97177a0fa65b266

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Injector.exe
              Filesize

              3.7MB

              MD5

              323e22b442e4d4f9930c5b65f6d1028c

              SHA1

              7dadf78756dd00c68d5094a59dc7bcccf3c8346d

              SHA256

              eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00

              SHA512

              2da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Injector.exe
              Filesize

              3.6MB

              MD5

              d1af83dc80d3c0ed8e223b24a9fcd1d1

              SHA1

              9e59970836e02bec76ab4623de7d88e4b92f98e6

              SHA256

              2be5af77d12f1141fc7f323e8782f195a465b8ad6f08c8fceaa371c56ba86400

              SHA512

              db1412d06426ad1dabf08bacc014e6eb2fc971ddb1b468b3c44383d71bf85148bdd3c4cb261618ea01ce9167de95348401cbf07870909f8c409c75d2fd3f746e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
              Filesize

              227KB

              MD5

              05c183f8c0d871d6081f1ea4096805e4

              SHA1

              4a05aba815c8471fca4fcc9a789683385b0c24ca

              SHA256

              eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

              SHA512

              ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ri2l15ql.bdx.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • memory/556-156-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/556-157-0x000000001D140000-0x000000001D152000-memory.dmp

              Filesize

              72KB

              Download

            • memory/556-158-0x000000001D2D0000-0x000000001D326000-memory.dmp

              Filesize

              344KB

              Download

            • memory/2012-64-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2012-1-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2012-2-0x000000001B910000-0x000000001B920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2012-0-0x00000000003B0000-0x00000000006FA000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2700-36-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2700-39-0x000001E21EE50000-0x000001E21EE60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2700-34-0x000001E2048B0000-0x000001E2048F0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2700-65-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3680-53-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3680-37-0x0000020F70160000-0x0000020F70170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3680-35-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3680-38-0x0000020F70160000-0x0000020F70170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3680-51-0x0000020F70160000-0x0000020F70170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3680-50-0x0000020F70160000-0x0000020F70170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4876-91-0x000000001B4E0000-0x000000001B4E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-107-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-87-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4876-88-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-89-0x000000001B4C0000-0x000000001B4DC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4876-90-0x000000001B560000-0x000000001B5B0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4876-85-0x0000000000670000-0x00000000009DA000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/4876-92-0x000000001B4F0000-0x000000001B500000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4876-93-0x000000001B500000-0x000000001B516000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4876-94-0x000000001B520000-0x000000001B528000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-95-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4876-96-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-97-0x000000001B530000-0x000000001B538000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-98-0x000000001B540000-0x000000001B550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4876-99-0x000000001B5D0000-0x000000001B5DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4876-100-0x000000001B5E0000-0x000000001B636000-memory.dmp

              Filesize

              344KB

              Download

            • memory/4876-101-0x000000001BE40000-0x000000001BE4C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-102-0x000000001BE50000-0x000000001BE58000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-103-0x000000001BE60000-0x000000001BE6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-104-0x000000001BE70000-0x000000001BE78000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-105-0x000000001BE80000-0x000000001BE92000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4876-106-0x000000001C3E0000-0x000000001C908000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4876-108-0x000000001BEC0000-0x000000001BECC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-86-0x0000000002AA0000-0x0000000002AAE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4876-109-0x000000001BED0000-0x000000001BED8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-110-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-111-0x000000001BEF0000-0x000000001BEFC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-112-0x000000001C160000-0x000000001C168000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-113-0x000000001C100000-0x000000001C10C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-114-0x000000001C110000-0x000000001C11A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4876-115-0x000000001C120000-0x000000001C12E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4876-116-0x000000001C130000-0x000000001C138000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-117-0x000000001C140000-0x000000001C14E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4876-118-0x000000001C150000-0x000000001C158000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-119-0x000000001C170000-0x000000001C17C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-120-0x000000001C180000-0x000000001C188000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4876-121-0x000000001C290000-0x000000001C29A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4876-122-0x000000001C190000-0x000000001C19C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4876-84-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4876-152-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4980-20-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4980-17-0x000002462E150000-0x000002462E160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4980-16-0x000002462E150000-0x000002462E160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4980-6-0x000002462E0D0000-0x000002462E0F2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4980-10-0x000002462E150000-0x000002462E160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4980-11-0x000002462E150000-0x000002462E160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4980-3-0x00007FFBC3530000-0x00007FFBC3FF1000-memory.dmp

              Filesize

              10.8MB

              Download