Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SampCheat.exe

windows11-21h2-x64

10

Resubmissions

30/10/2024, 05:15

241030-fxr2haylfm 10

15/09/2024, 10:03

240915-l3teeaxhld 10

30/07/2024, 12:21

240730-pjcjbsybjr 10

Analysis

  • max time kernel
    61s
  • max time network
    45s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • submitted
    30/07/2024, 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SampCheat.exe

Score
10/10
dcratxredbackdoordiscoveryexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SampCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\SampCheat.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
            "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5808
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3252
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC999.tmp" "c:\Windows\System32\CSC177E7DC6B824077B499109FF66BE3D1.TMP"
                7⤵
                  PID:1212
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3116
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4756
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\wininit.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4636
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2452
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\spoolsv.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2128
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2220
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l6onJHxmYw.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3564
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:5736
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:2456
                    • C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe
                      "C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5512
          • C:\ProgramData\Synaptics\Synaptics.exe
            "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:808
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:868
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:5108
                  • C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
                    "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3736
        • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
          1⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:2988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Synaptics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1564
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2616
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 11 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 9 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5188

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat
          Filesize

          86B

          MD5

          f0817915454c14a131a03bb1e970a3d9

          SHA1

          40bba77a1b68a36053d1cfce4a8820eeef1108df

          SHA256

          9983f72ca78bee90d64610d7bd9bce46c075674f22307494ad40982ff760978d

          SHA512

          00a97f09edc0824207fe5bf10e6d7ab903740bfb507db085b912e58a62f8ec814f05940bcb263163bec71e71def1ff9868fedd7b0348b4146a70198a00606c66

          Download Submit

        • C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
          Filesize

          5.6MB

          MD5

          d5eb73597ed0a278e1a993ee15c5cdb1

          SHA1

          c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341

          SHA256

          b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404

          SHA512

          538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932

          Download Submit

        • C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe
          Filesize

          224B

          MD5

          e6aa5a9a61e5a14929496cc623751fcb

          SHA1

          e5e193008aaf6155d8959d1f237297e134c8c69f

          SHA256

          4518eab1e079194970bee0b64f0dc5151e2208a48a94672e9a98fbe046e6a7d9

          SHA512

          45a4385a57d928587194313bd04ea42714619e2a3f35f8c7af0d930507f1e717dfd9c4d00c36514a826fb2e5090ed7e9b8a76f099798d2c468910c40e1d7cd0e

          Download Submit

        • C:\ProgramData\Synaptics\Synaptics.exe
          Filesize

          6.6MB

          MD5

          73d7e637cd16f1f807930fa6442436df

          SHA1

          26c13b2c29065485ce1858d85d9dc792c06ed052

          SHA256

          cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6

          SHA512

          f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgesurrogate.exe.log
          Filesize

          1KB

          MD5

          1126a1de0a15000f1687b171641ffea6

          SHA1

          dcc99b2446d05b8f0f970e3e9105198a20ca9e78

          SHA256

          b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7

          SHA512

          6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          437395ef86850fbff98c12dff89eb621

          SHA1

          9cec41e230fa9839de1e5c42b7dbc8b31df0d69c

          SHA256

          9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6

          SHA512

          bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          408641808e457ab6e23d62e59b767753

          SHA1

          4205cfa0dfdfee6be08e8c0041d951dcec1d3946

          SHA256

          3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

          SHA512

          e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          2e8eb51096d6f6781456fef7df731d97

          SHA1

          ec2aaf851a618fb43c3d040a13a71997c25bda43

          SHA256

          96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

          SHA512

          0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          05b3cd21c1ec02f04caba773186ee8d0

          SHA1

          39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

          SHA256

          911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

          SHA512

          e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe
          Filesize

          5.9MB

          MD5

          885383199b4458661a083d690adec52f

          SHA1

          7f3a0cdbf4f14e71fe0061f35c121ce087918a99

          SHA256

          7e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252

          SHA512

          dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BEB75E00
          Filesize

          23KB

          MD5

          47ad106c92a133bbc7324a06520dbd51

          SHA1

          8a1fb769038b1156955993ef77f8be2f49aaca00

          SHA256

          102ecf4be18a33ddc7c4ba0bc170eeb994cd4f2fee420f06f1f33e20df4e8700

          SHA512

          389aa85238b5d4ca790755a883ab6f658881f0d6433dc65c1cdba7b511b9e4517749c17f169f6c89b80d8e5aafec4470be1bd305c262bf03e9cde6adf3c8c1b2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESC999.tmp
          Filesize

          1KB

          MD5

          1fb608c68ef12a17fcaa7550997c0387

          SHA1

          e3c49c63dde31fe36487160c2a89cb7768db1430

          SHA256

          bb9f9cc19ff21f8de2aabc4feb194a290db44adffb43d77e858d7078a6fdb7f9

          SHA512

          34a7ffdfc5ae404a6adf846c5aac7cdd74e59cde2488a6345a6024c535fb7881dd707ce29981fa311667633600bdd43db9c606c6927f3c919f04e2536c9b2a67

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koqgd3xj.lp0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\l6onJHxmYw.bat
          Filesize

          239B

          MD5

          332b52493277de1aa1bc606ecc484530

          SHA1

          54c2a11127f8f44fdaa1af035e76bd87f2753ebc

          SHA256

          c0221899a9d3b34d0822a19c7ec9ac6831776ac5e024b47c7f3262684b8c3c67

          SHA512

          6e45875d0fb86476c62ad85851622bf77cc3d7f294736e974c4c3e2b2007bc9e9146447adccaa847f8e3dbbb4808432871e4605fa872749e8424b80081837d14

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zUo62WiT.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.0.cs
          Filesize

          395B

          MD5

          d6e083bfdb14c49e524e08efa40a480f

          SHA1

          802082be6b747cbb72636004510a85f7725531ca

          SHA256

          ea65ada245514b472142eade80cadd07edd1a5f2007f6830c4334c0277d9af08

          SHA512

          3a754586450b8ce876a109a328e3e22b9d8cb2c16295cd0f6b533becc48a28d568a30f4f04b5e56a7371c7995db935820a6b15d9995671fe8cd5b187160bec87

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.cmdline
          Filesize

          235B

          MD5

          694f489d9bb97befa26eb989433ec9ca

          SHA1

          415fa3d5d38e9590df76a9b657244320444b8523

          SHA256

          9a81f5619600f8c0d0af1066aeb15b63900746ead7e23f542914e1426a0b2377

          SHA512

          0ae1c81789abc42201d09e88dc0d82ceaa6c5746188e02f55a86768f3c8b332724962f6c8d51355f88aff4629c0ffe731eb3d12596c4f137ff0c4c4beb38a50b

          Download Submit

        • \??\c:\Windows\System32\CSC177E7DC6B824077B499109FF66BE3D1.TMP
          Filesize

          1KB

          MD5

          b0aae136dd0df9a56e1ad2d0fd1f88c0

          SHA1

          c8b9a6bf2c06984d8ee99a9ce2c61d577b6fb9f3

          SHA256

          6398170068f2c2644c27f977479a44611c48d78e75ceb45d857d4fe535ba84dc

          SHA512

          2ece8c69ccb09fd485021fbde9c17cc38eb86def14f2d8345cfb82df591f8bfa5418a27bb765aa8b0cd33b8463020920146dd76bcda64ea0f909cf05a9e79e8f

          Download Submit

        • memory/2612-304-0x0000000000400000-0x0000000000AAC000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/2612-295-0x0000000000400000-0x0000000000AAC000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/2776-106-0x0000000000400000-0x0000000000AAC000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/2776-0-0x0000000002A50000-0x0000000002A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2988-147-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-146-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-149-0x00007FFF13D70000-0x00007FFF13D80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-148-0x00007FFF13D70000-0x00007FFF13D80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-143-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-144-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2988-145-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4756-241-0x000001CFB8EF0000-0x000001CFB8F12000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5808-201-0x000000001B2E0000-0x000000001B330000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5808-203-0x0000000002960000-0x0000000002978000-memory.dmp

          Filesize

          96KB

          Download

        • memory/5808-205-0x0000000002920000-0x000000000292C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5808-200-0x0000000002940000-0x000000000295C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/5808-197-0x0000000000F20000-0x0000000000F2E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5808-195-0x00000000004C0000-0x000000000069A000-memory.dmp

          Filesize

          1.9MB

          Download